Hi,
Christoph Anton Mitterer wrote:
On advantage of subkeys is that one can use them independently from the
primaries, I mean you don't need a copy of the primary private key to
decrypt data encrypted with a public encryption subkey, or you don't
need it to sign data with the secret signing subkey.
gnupg even has some options to create such crippled keys, and they're
good to use in e.g. less secure like my work PC where every sysadmin
have access to (Klaus, if you read this, it's not that I wouldn't trust
you ;) )...
As far as I know, this is the primary use case for subkeys. I have a different
signature subkey on every computer that I use and the same encryption subkey.
The primary key is not installed anywhere.
So far I don't need subkey roles,... but the problem now is,...
1. When some of my LHC/LCG/Grid/etc contacts sends me encrypted data,...
he doesn't know which encryption subkey to choose, as you've said.
And thus I'll be probably unable to decrypt the message (at least at
work).
I think that having different encryption subkeys is pointless. While it is not
in the standard (maybe it should), all OpenPGP implementations encrypt to the
most recent valid encryption subkey.
2. When I make signatures with my different subkeys, I'd like that
people see it when I used my not-so-secure work signing subkey (perhaps
something that the user agent adds like <User ID> + "(this is my
unsecury work signing key)".
Not a bad idea. I think using the user id with your work email address in the
corresponding subpacket would accomplish this.
I know that this is currently not possibly to do this,.. but is there
any interest for such things?
I think it is possible. See above.
--
Daniel
signature.asc
Description: OpenPGP digital signature