On 04/26/2014 06:21 PM, John Sockwell wrote: > I’m looking for best practices in creating and managing multiple subkeys and > uids. > > In my scenario, I have a personal computer and personal email address. In > addition, I have an employer provided computer and employer email address. > > I’d like to create a key architecture where if I’m ever compelled to > compromise, revoke, or lose access to the signing and encryption keys on my > work computer, the security and integrity of my personal files are preserved. > The easiest solution seems to be generating separate primary keys for both > identities. However, I believe this would undermine the WoT when I move to a > new employer by not having all signing and encryption keys originating from > the same primary key. > > Is it possible to assign an encryption and signing sub key to a specific uid > so I can separate the keys used?
No, i think you need to use separate primary keys if you want to be able
to separate encrypted work messages from encrypted personal messages.
But I also want to point out that some employers may have a legitimate
need (even a legal compulsion) to be able to decrypt communications
coming to your work-related e-mail. One reasonable solution to this is
to provide them an escrowed copy of your encryption-capable subkey,
perhaps locked in a way that you would need to be informed (or perhaps
deceased?) that they were making use of the escrow.
However, i see *no* legitimate need for any employer to be able to forge
data signatures or identity certifications from your work-related key.
escrow only make sense for encryption-capable keys in limited contexts.
If you are in a situation where you are forced by employment to engage
in key escrow, you should take steps to ensure that only your
work-related encryption subkey is escrowed, and not your primary key, or
any signing or certification-capable subkey.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
