On 30/11/13 23:42, Klaus wrote: > Ok, this will fix the WoT from my perspective. What about other users > importing my work key?
Yes, you are of course correct. I forgot the other side for a moment :). How about this: - On your work PC, you only have the secret subkeys (signing and encryption) of your work keypair. The master key (for certification) is held securely at your home. - You ask people, when they certify you, to certify both keys. It's a rare event, it's not that big of a burden all in all. - When you switch jobs, you revoke the existing subkeys, the ones where the secret material was on the work PC. You create new subkeys for signing and encryption and place those on your new work PC. That way, the IT department of the company (or other people with access to your work PC) will only gain access to work-related stuff /for that company/. Once you go work for the competitor, they can no longer access any new work-related stuff which is encrypted to the new subkey. Your secret master key never enters the premises of the company you work for, and other people certify that master key, so you don't lose the certifications when you switch jobs. > That shouldn't be a problem, as long as I don't ask people to sign my work > key and don't sign with my work key. You are a lot more free than that. Other people can sign both keys, and you can sign other people's keys with either of your master keys. You just shouldn't sign a key with /both/, if you want to keep the famous "some people" happy. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users