Hello, > Can she add a new UID of the same name "Alice <u...@company.com>" to > her gpg key again?
I'm pretty sure that, yes, you can. > In another scenario, Alice not only has a master key, but also > subordinate keys, say for her notebook and mobile phone. First, can > she say that the mobile phone should be able to sign/decrypt only for > u...@alice.com? For decryption: No. UID's are always bound to the primary key. If someone encrypts data to you, they are free to choose whatever non-expired encryption-capable subkey or master key they want. In practice, you'll usually see that it will be encrypted to the last created non-expired key. You choose which key you use to sign with; your peers will accept signatures from any non-expired signing-capable key. There is no proper way to say to your peers "encrypt to this subkey if you want me to read it on the move and encrypt to that subkey if you want I can only read it on my super-secure computer". > What happens if a subordinate key of mine expires? Can I just > generate a new one and let people know? Or would I also have lost > trust/signatures of my identities gathered in the past? You can simply generate a new one. Certifications are done on the pair of an UID and your master key. Subkeys don't play a role in certifications. > Just that he trusts UID X belongs to the name and address given in > UID X, and that UID X is associated with Alice's master key Precisely. Although you are actually a bit too specific. A certification means what the signing party wants it to mean. Some people will not verify the e-mail address. Some will decline to sign a key with a comment they can't properly verify or otherwise object to. Some will have their signature mean "I've seen multiple e-mails from this person signed with this key", others will want to hire a private investigator and interrogate your parents (obviously only after a DNA test). > Finally, I am wondering how I should organise my UIDs. There is no single best way. Both all UIDs on one key and separate keys per UID are done. Both have their pros and cons. > Would it be considered strange, or even rude of some sort, if I > asked someone to sign a number of identities of mine scattered > across multiple gpg keys No, I wouldn't think so. But obviously someone might say "I'm sorry, that's too much effort for me" :). > P.S.: It seems like my previous attempt to post this message failed. > I hope the mail won't come through twice now. I'm sorry if it does. It did come through twice; the time it takes for your message to be circulated to all the members can vary quite a bit. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users