Erron Criddle writes:
By binding an encryption sub key to a primary signing key, you are binding
it to multiple user id's (if multiple user id's exist), however if user id
(a) wants to encrypt data using sub-key (b) and user id (b) wants to
encrypt data using sub-key (a), where do you actually make the bind?
There is no way to express this in OpenPGP.
Would it be hard to express that in OpenPGP? Can a signature subkey be
added that specifies the top level id that should be linked to the subkey?
Accordingly, if the subkey is bound to all upper level id's (as is the case
now) then the signature subkey would simply be left blank.
Well, there is no way to express that in OpenPGP. If you are asking,
could we add a way to do that, the answer is that it would be technically
possible. The question is whether there is sufficient desire to add that.
I think if you wanted to do this, it would be better to add a way for
a given userid self-sig to say which subkey to use when that userid
was chosen as an encryption target, rather than the other way around
(subkey to point at userid).
Without this mechanism, the main use of multiple subkeys is to make
it easy to roll over your encryption keys relatively often, without
invalidating the validity of your key. That's an important piece of
functionality in itself.
We might wish to discuss whether it is worthwhile to go beyond this to
also allow the use of different subkeys for different userids. It would
add considerable complexity to the UI, and at PGP.com we are if anything
trying to simplify the UI. Most users still say encryption is too hard
to use.
Hal Finney