How to add a comment to a key?

Hi,

if I create a new OpenPGP key in Kleopatra, I have to add at least name and email-address.

But where is the “comment”-field?

Yours

It is nowadays considered that comments in the UserID are a part of the OpenPGP standard that is problematic. A good writeup of the problems is:

https://debian-administration.org/users/dkg/weblog/97

For this reason we don’t show it in the GUI as we want to discourage its misuse.

If you really really want to add a comment to your user ID you have to use the command line and “gpg --full-gen-key” (the standard --gen-key also don’t asks for a comment anymore).

Hi,

many thanks for your rapid answer :wink:

But it seems that Kleopatra has the option to add a new comment if I add a new User-ID to the key…?

The idea was that: When first starting Kleopatra, you have to generate a key to make use of OpenPGP. You would then be asked for a comment. And that was not understandable for users leading to bad comments. Better to have them enter a Name and / or a Mail Address. That is easy for a new user. So we removed the comment field there.

When Adding a UserID I think the situation is a bit different. This is a feature for people who know what a User-ID is. So they probably know a bit more about a comment? Maybe they want that? I’m not sure if we should remove the comment field there, but it does not hurt as much as the initial “keygen” comment in my opinion.

Alright. Many thanks!

The linked post talks about server side comments, for which I agree it absolutely makes sense; I too thought that comments in the creation box were for personal use only, and did not expected them to be uploaded to a public key server.
(But I don’t think keys are uploaded automatically, so a different comment can be asked for when you upload to a keyserver?)

I don’t know if it matches the OP problem, but is there anything wrong with having client side comments? Like in an adres book, which is basically one of the functions of WinGPG/Kleopatra;
I recently made a feature request upstream for such a purpose. (Though I seem to have forgotten the request part :oops: ) https://bugs.kde.org/show_bug.cgi?id=390949

It would be useful in the following user cases:

  • easily differentiate between own keys for different nicks/purposes
  • find back keys for verification of installers, when the signer used a personal rather then project email adres.
  • assign keys for projects when signing files or documents (like in LibreOffice)
  • finding friends when they did not use their name but a nick in their mail (or reverse).

Ah,… that damn Andre Heinecke who does not respond to issues,… Sorry for that. I overlooked it. Task for this is now: https://dev.gnupg.org/T3968

You are not the first one with such a request and its a good request. We even had institutions requesting this for use cases like marking a key “Top Secret” “Secret” or “Restricted” in their institution. But we were never contracted or got around to implementing it.

Technically it is not as simple as it sounds because we would not want to have a Kleopatra, local system, only solution but a general solution for our GnuPG System. Its not horribly complicated but well, we need to work on it :slight_smile:

Maybe this is something we can do for 3.2.0 this summer, no promises though as this is a bit of an expert level / nerdy feature and we currently want to push “simple / automated” encryption more then detailed key management.

Best Regards,
Andre

Don’t worry, you still respond a lot quicker then I got to adding to the wiki (still somewhere down in my planning).
And after writing this up yesterday I realized it is indeed more complicated, for to get the best user value, it needs to be supported by the other local programs that use GPG (like Thunderbird/Enigmail, Libreoffice, mailvelope etc) too.

As it is basically an adres book feature, perhaps there is some knowledge or code within KDEpim or Thunderbird community?
And as the feature itself is not really security-related, maybe you could apply for some Google summer of code-like project? (or direct with a College/university?)

As for use within organisations,I read in another question that you want to have a better way to sync keys down into the organisation, so if kept in mind, that could be combined with this.

I read the article by dkg and his what I kind of considered a “rant” about basically how the public could no longer be trusted with a comment section because they were too ignorant to use it correctly several days ago before I noticed that during a new keypair creation in Kleopatra, the option is gone.

Admittedly, on the keyservers I have seen the comments such as (This is the key I use at work, not the other one) and things like that but I also would have appreciated an “expert” toggle to display or not display this small field on the GUI that asked for a comment.

Maybe if I had seen a different explanation than the one by dkg, who seems like a rather assinine fellow (e.g “Tools like enigmail and gpg (and Kleopatra, apparently) should not expose the “Comment:” field to users who are generating keys or choosing new User IDs.”)

Using the terminal commands to insert the comment I want will just have to suffice for now, it seems. And no, it won’t be that I like strawberries, much to the delight of dkg, I’m sure.

Sorry to hear that you are unhappy and you will probably disagree with me, but for me “Expert Mode” means people that read documentation and don’t just explore. And for such experts like yourself I think the command line will always be the best tool. As any expert GUI is just an abstraction added above the command line and I think it’s a bit of a trap to design a GUI for such experts.

During Key generation I do not want to make users think (too much) as they will then automatically think it’s to complicated and run away. And for a User that does not know about OpenPGP UserID’s its just an unclear question if the GUI asks: “Do you have a comment on this?” I’m actually unhappy about the “Subkey settings” advanced GUI of the Key generation dialog.

FWIW. I also agree with most of what DKG wrote. It’s not that users can’t be trusted but it is hard to think of a usecase for comments especially regarding certification. If I want to Certify your key I would also have to certify the comment. And while I can clearly check your Name, or the email address you use. How can I verify that a key with a comment like “offline key” is really your offline key?