Hi WG!
Let me just pick the following from another thread up and fork it here:
On Sat, 2009-01-31 at 22:17 -0500, David Shaw wrote:
Subkeys aren't really usable for roles.
I've always missed that,...
User IDs make great roles.
Subkeys can be used by anyone who cares to, so if you have two
encryption keys, even though you intend one for "home" and one for
"work", you have no way to tell me which one you want me to use, and
even if you did, I could use the other one if I wanted to.
On advantage of subkeys is that one can use them independently from the
primaries, I mean you don't need a copy of the primary private key to
decrypt data encrypted with a public encryption subkey, or you don't
need it to sign data with the secret signing subkey.
gnupg even has some options to create such crippled keys, and they're
good to use in e.g. less secure like my work PC where every sysadmin
have access to (Klaus, if you read this, it's not that I wouldn't trust
you ;) )...
So far I don't need subkey roles,... but the problem now is,...
1. When some of my LHC/LCG/Grid/etc contacts sends me encrypted data,...
he doesn't know which encryption subkey to choose, as you've said.
And thus I'll be probably unable to decrypt the message (at least at
work).
2. When I make signatures with my different subkeys, I'd like that
people see it when I used my not-so-secure work signing subkey (perhaps
something that the user agent adds like <User ID> + "(this is my
unsecury work signing key)".
I know that this is currently not possibly to do this,.. but is there
any interest for such things?
Regards,
--
Christoph Anton Mitterer
Ludwig-Maximilians-Universität München
christoph(_dot_)anton(_dot_)mitterer(_at_)physik(_dot_)uni-muenchen(_dot_)de
mail(_at_)christoph(_dot_)anton(_dot_)mitterer(_dot_)name
smime.p7s
Description: S/MIME cryptographic signature