Screencasts - Hilfsvideos
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PGP Desktop: Several Signing Keys with one e-mail account?

Created: 15 Juni 2012 | 13 Kommentare

I have different communication partners that do *not* accept the same key for signing. This is especially a problem with partners (companies) that require S/MIME with X.509 certificates (keys) authenticated by one, but not another Certification Authority. Thus, I have more than one X.509 certificate (key) for signing. And I need to send messages to recipient A signed with certificate 1, to recipient B signed with certificate 2 and so on.

But PGP Desktop seems only to accept one signing key (or certificate) per account, which cannot be modified in different "Policies" with respect to different recipients. I do not want to have to have different accounts for outgoing mail to different recipients (that would be too confusing).

(a) Is there any way to deal with this? A workaround?

(b) If not: This is a serious feature request.

Kommentare KommentareZum neuesten Kommentar

das Bild der Tom Mcs

I would suggest recreating your PGP Messaging Service without a default key.  I would expect you to then be able to select your desired signing key anytime you are are signing.  You could also change the Opportunistic Policy to just Encrypt; and create a new policy you would place right above that  to require signing for the email addresses that need to have signing:

If any Recipients are:

Have the rest of the policy as the current Opportunistic Policy.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

das Bild der Participant-Participants

Dear Tom,

thank you for your interest and your reply. Suggestion 1 (leaving the default key empty) does not work with my PGP 10: PGP just picks a key and signs with that. It does not give me a choice of keys to use. Suggestion 2 (having two policies, one of signing and one with encrypting) does not work either; the signing policy will be disabled by PGP.

Any other idea?

Thanks again!

das Bild der Tom Mcs

1) If you have your passphrase cached at the time of the signing, you may be able to do this if you purge your passphrase cache before sending the email.  Or if your only cached passphrase belongs to the desired signing key.

2) Of course, this would require you to have entered each of the email addresses you want to sign to.  You can use the + to the right to add more.  It might also be better to choose Encrypt and Sign instead of just Sign.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

das Bild der Participant-Participants

Thanks again, Tom! It is so nice to get a fast reply.

Maybe it can be done the way you suggest. However, the point was to set this up once (encrypt to X and sign with key 1, encrypt to Y and sign with key 2) and forget it; and from then on not to worry about it every time, get confused, and then screw it all up, either signing with the wrong keys or even sending it unencrypted after all!

One possibility would be to establish different sending accounts and then send to different people from different accounts. But that again will be confusing and may lead to mistakes in the heat of everyday business. I am certainly error prone that way.

Again, maybe we can turn this into a feature request: choose the signing key not in the account but in the policies (or: being able to override it in the policies). As more people use PGP/MIME and S/MIME both at the same time, they may also use different signing keys for different purposes and with different recipients, so it may not just be me.

Where can feature requests be filed?

das Bild der Tom Mcs

I think this would make a good feature request.  You can do this by using for forum option of Create Content - Idea.  When I'm on my Symantec computer Monday, I'll try to find if there is a better place.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

das Bild der Julian_Ms

I have tested this in my enviroment

When I enable sign button in outlook, click send email, PGP prompts for signing key passphrase, and i must select which key will sign...

See screenshoot attached.

Is not this what you need?

This is a managed client, with Universal server.

signing key.png

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

das Bild der Alex_CSTs

This would work in your scenario, but a feature request to add this as a policy option would be a very good idea.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

das Bild der Participant-Participants

Thank you for your reply!

Hower, I tried it and it did not work: I tried to leave the default key for my account empty. But when I do this, this screen comes up (see attachment) and forces me to choose a default key for this accout. From then on, *this* is the default key. I cannot even delete the default key from the account, I can just switch it for another key.

All this is enormous tedious and not practical to do when I have other things on my mind.

PGPMessage.PNG
das Bild der Julian_Ms

You can choose which key will sign each email, independently of which email address is sending the email.

That is exactly what you need...as I understand.

I don´t think a feature request is needed.

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

das Bild der Alex_CSTs

I believe he was asking if it was possible as a configurable policy option, which AFAIK it isn't

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

das Bild der Participant-Participants

I would like to be able to configure this ahead of time. When actually using my e-mail, I do not want to think about it any more who actually accepted which certificates. (These certificates are a hassle anyway, I'd much prefer PGP-keys, but my business partners are not able to use them - there IT department not being very flexible. I am happy they managed to encrypt at all.)

So, I think a feature request it should be. Anyone who can help me how to do this effectively?

das Bild der Alex_CSTs

Feature requests go in the Ideas section of Connect:

https://www-secure.symantec.com/connect/inside-symantec/ideas

I'd just make it clear you want it as a policy addition 

Just as a side note - why dont you get them using Web Messenger when you want to send them something encrypted?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com