I recently got into using OpenPGP and in particular GnuPG (Kleopatra) on Windows.
Picking up the basics was easy enough, however, now I’m puzzled about best practises and not messing up.
I created a standard keypair for my real identity and connected my email adresses and my real life name to the pair (the mail adress contains my name anyway, my official adresses).
So I started distributing the public key manually, whom I gave a lifetime of 2 years for now.
Seeing the desolate and uncertain state keyservers are in right now, I was pleased to see that some of my email providers started implementing WKD, which makes things much easier.
Usually every provider has something to complain about my public key.
Either: -no names
-only one adress
-no expiration date
So what I’m asking is, is it safe to change your key by removing UID’s and expiration date temporarily, to export a pubkey taylored for one purpose and change everything back to normal afterwards?
Will it mess up other peoples keyring or can it cause information loss due to incompatibilty?
As far as I can see from changing the date, the privatekey fingerprint stays the same? So every version of my private key should still be able to decrypt everything that was every send to any version of my publickey? Or do I have that wrong?
Is there a better practise? Should I have set up a seperate keypair for every email provider?
“As far as I can see from changing the date, the privatekey fingerprint stays the same? So every version of my private key should still be able to decrypt everything that was every send to any version of my publickey? Or do I have that wrong?”
That is correct. If you change the data it’s still no problem to decrypt files that where encrypted before the change.
"Either: -no names
-only one adress
-no expiration date"
I also would recommend to set the address (and only one address) because that way applications can connect your email address with the correct key. Without the address saved in the key some programs don’t know which key they should use e.g. for signing. Gpg4win is one example for that. Other application let you select a key by entering an ID. So when saving the email address in the key you have less problems. For this reason it also makes sense to me to only use one key for one email address.
For this reason I would answer the question “Should I have set up a seperate keypair for every email provider?” with “Yes”.
best practices vary by personal (or work) requirements and prefered workflows.
So there are more than one.
On the question of having one keypair per email provider, it is fine to do so,
but means managing several private keys.
Another good practice is so add one email ID per email address you have to one keypair.
Usually you may have several email addresses per email provider, that is fine, add them all.
Then if a provider demands that you only list the email addresses in the public key
that you have with them, you can create a public key version that only has those email addresses.
I always recommend setting a recommendation date, even if it is ten years.
If this is your first keypair, two or four years would be something I’d use,
this has the drawback that you need todo a keyrollover after those years, but
on the other hand, if you make mistake in managing your key material, there is an end to when
people try to still use the public key. (BTW some more advanced usage is to extend an expiration period
or to use different expiration dates for subkeys.)
The main point is: the practive must match your needs.