10

For example, if I have a friend's public key that's associated with, say, email address [email protected], but I want to send him a message at [email protected], is there a sensible way to do this? Is there a way to permanently associate [email protected] with the original public key?

I realize I could manually encrypt from the command-line (via the original email handle) and subsequently email that content, but I'm looking for something 'usable' that would properly integrate with my email client and other standard GPG/PGP tools.

I also realize it's possible to add a secondary uid/email address to a key you own, but neither is that what I'm looking for.

Improve this question
3
  • 1
    You should mention which client software you're using. Some clients could be able to do this.
    – Jens Erat
    Commented Apr 25, 2013 at 16:50
  • At present I'm using Evolution, but I was hoping for a solution (like the one below) that is "agnostic". I did notice that the Thunderbird GPG plugin (Enigmail) has functionality for associating secondary addresses... But I'm not a big fan of that client. :)
    – Chris W.
    Commented Apr 26, 2013 at 17:42
  • Related question: How do I manage multiple e-mail addresses with GnuPG?
    – vhs
    Commented Aug 2, 2022 at 0:31

3 Answers 3

Reset to default
7

You can add aliases to ~/.gnupg/gpg.conf by abusing "groups":

group [email protected] = [email protected]

In new versions of Evolution (tested with 3.22.6) the recipient is passed to gpg including angle brackets. Those must be added when defining the group:

group <[email protected]> = [email protected]

Docs here: GPG Key related Options

Improve this answer
3
  • @Ramhound: No. The names and addresses you give to GPG when creating an OpenPGP cert are only ever used as labels for that cert, and as hints for senders which cert to choose for which recipient. The owner can add multiple such labels to a single cert (I've seen people add their ICQ UINs instead of email addresses), and multiple cryptographic keypairs too (in fact, almost all certs have two keypairs: one for signing, one for encryption)...
    – grawity_u1686
    Commented Apr 25, 2013 at 21:46
  • 1
    @Ramhound: ... Those have no relation other than being in the same cert, and they have no relation to the delivery method used. If I encrypt something with gpg -r [email protected], there is absolutely nothing that would require me to actually send it by email to that address: it can be sent to a different address, sent over Usenet or XMPP or IRC or Twitter, pastebinned, or even printed and sent by post. Thus the group option only tells GnuPG which cert to use for a given -r.
    – grawity_u1686
    Commented Apr 25, 2013 at 21:48
  • 1
    On emacs, (setq epg--configurations nil) to reset the cache if it's not reading from ~/.gnupg/gpg.conf properly. Just spent two hours on this
    – Sandra
    Commented Aug 18, 2022 at 11:38
2

Actually, Simon is wrong. You can add new user IDs and revoke old ones on an existing key. Attempting to masquerade as others aside, it would achieve very little to prevent this type of modification since the worst that can happen is that someone receives an encrypted message that they cannot decrypt. At which point they would discover that someone is playing games.

However, if a key has been signed by a third party and then a second UID is added to the key, the previous signatures are not applied to the new UID. You can actually see evidence of this on my key (0x321E4E2373590E5D) because I added two UIDs to my current key earlier this year.

Grawity's recommendation of using group lines is the quick and easy way around the UID disparity issue, especially when the other party either doesn't know how to update their key or doesn't care.

Improve this answer
0

No, a key pair (public and private) can not be changed after they were created. If the keys are for [email protected] then that's it.

The reason for that is that the owner of the e-mail address has to be authenticated before a key pair is issued. If you could change the address after, you could pretend to be someone else and that would make the whole process useless.

If you make your own key pair you can add more than one e-mail address, but such keys can not be authenticated by others (they have to trust you)

Improve this answer
2
  • 1
    Be careful with putting trust in the e-mail-address. E-mail addresses tend to change over time and could be reoccupied; and not everybody is checking the e-mail addresses (and eg. directly uploading signatures to keyservers).
    – Jens Erat
    Commented Apr 25, 2013 at 16:49
  • 3
    The email addresses (UIDs) and the key pairs are stored separately in OpenPGP "keys", so the first sentence is not very correct.
    – grawity_u1686
    Commented Apr 25, 2013 at 17:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .