Is it possible to associate a secondary email address with an existing public key?

Question

For example, if I have a friend's public key that's associated with, say, email address john@domain.com, but I want to send him a message at john@other.net, is there a sensible way to do this? Is there a way to permanently associate john@other.net with the original public key?

I realize I could manually encrypt from the command-line (via the original email handle) and subsequently email that content, but I'm looking for something 'usable' that would properly integrate with my email client and other standard GPG/PGP tools.

I also realize it's possible to add a secondary uid/email address to a key you own, but neither is that what I'm looking for.

score 7 · Accepted Answer · edited Oct 12 '18 at 03:17

7

You can add aliases to ~/.gnupg/gpg.conf by abusing "groups":

group john@other.net = fingerprint-of-john@domain.com

In new versions of Evolution (tested with 3.22.6) the recipient is passed to gpg including angle brackets. Those must be added when defining the group:

group <john@other.net> = fingerprint-of-john@domain.com

Docs here: GPG Key related Options

edited Oct 12 '18 at 03:17

Alexander Senier

3

answered Apr 25 '13 at 17:27

grawity

501,077

score 2 · Answer 2 · answered Sep 22 '13 at 06:28

Actually, Simon is wrong. You can add new user IDs and revoke old ones on an existing key. Attempting to masquerade as others aside, it would achieve very little to prevent this type of modification since the worst that can happen is that someone receives an encrypted message that they cannot decrypt. At which point they would discover that someone is playing games.

However, if a key has been signed by a third party and then a second UID is added to the key, the previous signatures are not applied to the new UID. You can actually see evidence of this on my key (0x321E4E2373590E5D) because I added two UIDs to my current key earlier this year.

Grawity's recommendation of using group lines is the quick and easy way around the UID disparity issue, especially when the other party either doesn't know how to update their key or doesn't care.

score 0 · Answer 3 · answered Apr 25 '13 at 16:00

No, a key pair (public and private) can not be changed after they were created. If the keys are for john@domain.com then that's it.

The reason for that is that the owner of the e-mail address has to be authenticated before a key pair is issued. If you could change the address after, you could pretend to be someone else and that would make the whole process useless.

If you make your own key pair you can add more than one e-mail address, but such keys can not be authenticated by others (they have to trust you)

Is it possible to associate a secondary email address with an existing *public* key?

3 Answers3

Is it possible to associate a secondary email address with an existing public key?