Hi everyone, I'm a potential new gpg user, and have been struggling with a few questions about how uid's and keys should be configured. I've poured over the documentation, mailing list, and web pages, and now want to verify what I've come up with so far. I know there are probably no "right" answers, but I would like to know if there is some kind of general consensus about "best practice". At the least, maybe I can find out how people have things set up for real-world usage.
1) Multiple uid's (emails) per primary key versus multiple primary keys I have 3 email addresses I currently use: one personal, one for foss development, and one for work. I could create 3 uid's associated with the same primary key (option A), or 3 separate primary keys with 1 uid each (option B). Here are the trade-offs I've thought of - are they right? Anything else I should consider? * Option A would require 1 passphrase, where B would require 3 passphrases. * Assuming someone wants to certify all 3 uid's: - Option A would require 1 fingerprint to be verified, B would require 3 fingerprints to be verified. - In both cases, 3 signatures would have to be made by the signer, one for each uid. Option A would be more "streamlined" since gnupg prompts the signer whether or not to sign each uid of a key (right?). Option B would require the other party to do "--sign-key" three times. * Option A has 1 encryption key, B has 3. In the 3-key scenario, if I'm forced to reveal encrypted messages to one of the addresses, the others are not automatically compromised. * As far as the web of trust goes: in both options, other people can trust the authenticity of each uid differently. I guess the difference is when I certify others' keys. With option A, I only certify keys with one key, whereas option B would give me a choice of 3 keys to certify with. I suppose that I would have 3 webs of trust in that case. If I include someone in all three webs, then their key will be signed by my name 3 times, albeit with 3 separate key id's. Would that be "weird"? I suppose this is where a "master signing key" comes in... 2) "Master signing key" In the above option B, I could create a fourth (sign-only) key with which I cross-sign my 3 "uid keys" to unify the webs of trust. * Would I certify other people's keys ONLY with this fourth key, and not the other 3? * Wouldn't other people have to then certify at least 2 of my keys: the "master" and as many "uid keys" as they want to? Or would my cross-signing the "master" and the other person's trust in the "master" key cause the "uid keys" to be trusted? * Do people have problems signing a "master signing key" that may not have an email address associated with it? I'm leaning towards Option A (1 primary with 3 uid's), just because it seems simpler. Option B (3 primary, 1 uid each) is still appealing because each uid gets its own encryption key. Is that the only trade-off between those two options? Wow, sorry for the very long-winded message. Thanks in advance for any feedback. Best regards, David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
