keys require a user-id
Robert J. Hansen
rjh at sixdemonbag.org
Tue May 19 16:29:26 CEST 2020
> With the freeform approach, when I would have to use (auto) generated
> random chars or the fingerprint then I would have problems memorizing
> if this was your, dkg's or Werner's public keyblock and it could be
> also more error prone (typos), when using this method, in CLI mode.
Sets up a named group, which is similar to aliases in email pro‐
grams. Any time the group name is a recipient (-r or --recipi‐
ent), it will be expanded to the values specified. Multiple
groups with the same name are automatically merged into a single
The values are key IDs or fingerprints, but any key description
is accepted. Note that a value with spaces in it will be treated
as two different values. Note also there is only one level of
expansion --- you cannot make an group that points to another
group. When used from the command line, it may be necessary to
quote the argument to this option to prevent the shell from
treating it as multiple arguments.
The feature you want, GnuPG already has. If my certificate had no email
address listed, you could put
group rjh at sixdemonbag.org=0x1DCBDC01B44427C7
... and then whenever you asked GnuPG to encrypt something for
rjh at sixdemonbag.org, GnuPG would silently substitute my certificate.
So let's recap:
* PII-free UIDs are possible today
* Nobody is forced to put PII in a UID
* Certificates can be relabeled with the 'group' option
It really seems like after all this discussion the only thing left is
you think GnuPG ought do a better job documenting how to create a
PII-free UID. And if you can get the community to back you on that I'll
draft it myself.
More information about the Gnupg-users