Change Details

Especially for functional mail addresses people often share secret keys. As there is no easy way to do this the sane way (i.e. share only subkeys) a lot of people share the whole key. To make the seemingly inevitable sharing of secrets keys more secure, we want to introduce a simple Create Team Key action. //Implementation// Add a file menu item "New OpenPGP Role Key Pair..." after the "New OpenGPG Key Pair ..." entry. This just calls the default key creation dialog with an option to generate a "Role Key". A certificate with separate "certify" and "sign" and encryption subkeys is generated. After generation the user is offered to "Share Secret Role Key ...". "Save Secret Role Key..." is also a menu entry after "File"->"Export...". This menu entry is only available if the primary key has only the capability "certify". The function could be a specialized version of the "Backup Secret Keys..." function. Choosing this function will open a dialog: ``` The following subkeys will be exported to a file. This file can be shared with team members who need to be able to open messages that are encrypted for that group. - all public subkeys - secret encryption subkey [ ] secret signing subkey Please choose if the team members shall be able to sign messages with the team key. They can sign messages with their personal private key instead. [OK] [Cancel] ```

//Edit 2025-06-17: changed the terms according to meeting results// Especially for functional mail addresses people often share secret keys. As there is no easy way to do this the sane way (i.e. share only subkeys) a lot of people share the whole key. To make the seemingly inevitable sharing of secrets keys more secure, we want to introduce a simple Create Team Key action. //Implementation// Add a file menu item "New OpenPGP Team Key Pair..." after the "New OpenGPG Key Pair ..." entry. This just calls the default key creation dialog with an option to generate a "Team Key". A certificate with separate "certify" and "sign" and encryption subkeys is generated. After generation the user is offered to "Share Secret Team Key ...". "Save Secret Team Key..." is also a **menu entry** after "File"->"Export...". **Tooltip**: "Save this secret key to share with other team members." The menu entry is only available if the primary key has only the capability "certify". The function is a specialized version of the "Backup Secret Keys..." function. Choosing this function will open a dialog: ``` The following subkeys will be saved to a file. This file can be shared with team members who need to be able to read messages that are encrypted for that key. * All public subkeys * Secret encryption subkey [ ] Secret signing subkey Please choose whether team members should be allowed to sign messages using the team key. Alternatively, they can use their personal key to sign. [OK] [Cancel] ```

//Edit 2025-06-17: changed the terms according to meeting results// Especially for functional mail addresses people often share secret keys. As there is no easy way to do this the sane way (i.e. share only subkeys) a lot of people share the whole key. To make the seemingly inevitable sharing of secrets keys more secure, we want to introduce a simple Create Team Key action. //Implementation// Add a file menu item "New OpenPGP RoleTeam Key Pair..." after the "New OpenGPG Key Pair ..." entry. This just calls the default key creation dialog with an option to generate a "Role"Team Key". A certificate with separate "certify" and "sign" and encryption subkeys is generated. After generation the user is offered to "Share Secret RoleTeam Key ...". "Save Secret RoleTeam Key..." is also a **menu entry** after "File"->"Export...". **Tooltip**: "Save this secret key to share with other team members." ThisThe menu entry is only available if the primary key has only the capability "certify". The function could beis a specialized version of the "Backup Secret Keys..." function. Choosing this function will open a dialog: ``` The following subkeys will be exportsaved to a file. This file can be shared with team members who need to be able to openread messages that are encrypted for that groupkey. - a* All public subkeys - s* Secret encryption subkey [ ] sSecret signing subkey Please choose if thewhether team members shallould be ablellowed to sign messages withusing the team key. They can sign messages withAlternatively, they can use their personal private key insteadto sign. [OK] [Cancel] ```