Different key pare for e-mail and signing code

john doe johndoe65534 at mail.com
Mon Jan 6 07:26:25 CET 2020


On 1/4/2020 10:10 AM, Robert J. Hansen wrote:
>> Following my thread at (1), unless I'm missing something, it became
>> apparent that Enigmail/Tunderbird does not fit the bill anymore.
>
> It should be noted that Enigmail hasn't changed how it does anything.
>

No argument there, Patrick is doing an outstanding job with Enigmail.
I should have said that enigmail does not fit the bill for my needs
anymore, sorry about that.


>> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
>> the best way forward:
>
> We don't know, either.  It's going to depend on your own personal risk
> profile.
>
>> - Am I missing something/better approach
>
> If you want to segregate your code signing from your email, the best way
> to do that is with a second certificate -- not adding subkeys to your
> current one.
>
> Ask yourself this: how often have you noticed that my signed messages
> bear *two* signatures from *two* subkeys belonging to the same
> certificate?  I've been doing this for years and nobody's ever noticed.
>  (Or at least, nobody's ever mentioned it to me to ask why I'm doing
> something so weird.)
>
> So if you're depending on people ascribing special semantic value to
> which subkey is used -- honestly, I doubt people will ever even notice
> which subkey you're using.  It's simply not a use case that comes up
> very often, if ever.
>

From the answer in this thread, it looks like having two key pares (one
for signing and one for e-mailing) is somewhat more flexible but this
approach is more complicated for the web of trust.

I guess , I'll go with separate key pares.

Thanks Robert for your answer in all my threads! :)

I'd like to also thank (1) for his answer, and (2) for his answer in an
other thread (3).

1)  Wiktor Kwapisiewicz <wiktor at metacode.biz>
2)  Konstantin Ryabitsev <konstantin at linuxfoundation.org>
3)  https://lists.gnupg.org/pipermail/gnupg-users/2020-January/063190.html


--
John Doe



More information about the Gnupg-users mailing list