keys require a user-id

Robert J. Hansen rjh at
Tue May 19 16:29:26 CEST 2020

> With the freeform approach, when I would have to use (auto) generated
> random chars or the fingerprint then I would have problems memorizing
> if this was your, dkg's or Werner's public keyblock and it could be
> also more error prone (typos), when using this method, in CLI mode.
--group {name=value}
        Sets up a named group, which is similar to aliases in email pro‐
        grams.  Any time the group name is a recipient (-r or  --recipi‐
        ent),  it  will  be  expanded  to the values specified. Multiple
        groups with the same name are automatically merged into a single

        The  values are key IDs or fingerprints, but any key description
        is accepted. Note that a value with spaces in it will be treated
        as  two  different  values. Note also there is only one level of
        expansion --- you cannot make an group that  points  to  another
        group.  When  used from the command line, it may be necessary to
        quote the argument to this option  to  prevent  the  shell  from
        treating it as multiple arguments.

The feature you want, GnuPG already has.  If my certificate had no email
address listed, you could put

	group rjh at

... and then whenever you asked GnuPG to encrypt something for
rjh at, GnuPG would silently substitute my certificate.

So let's recap:

* PII-free UIDs are possible today
* Nobody is forced to put PII in a UID
* Certificates can be relabeled with the 'group' option

It really seems like after all this discussion the only thing left is
you think GnuPG ought do a better job documenting how to create a
PII-free UID.  And if you can get the community to back you on that I'll
draft it myself.

More information about the Gnupg-users mailing list