User IDs

OpenPGP knows User IDs; they are the human-readable content of certificates (and keys) and are meant as representations of the keyholder, for instance, in the form of an email address. Technically, User IDs are just sequences of printable characters. Their content depends on the intended use case. To retrieve a certificate for an email address, you can search for certificates that contain a User ID matching the address.

<alice@example.com>

User IDs are not limited to email addresses; they can also contain a name:

Alice Example

or a combination of both:

Alice Example <alice@example.com>

As email addresses have to be in angle brackets, they are identifiable. Other use cases may have different conventions.

Instead of specifying an email User ID as --userid "<alice@example.com>", you can use --email "alice@example.com"; sq takes care of the angle brackets.

In public key cryptography, User IDs are not needed. Encryption, decryption, signing, and verification do not use the information supplied in a User ID. User IDs are meant as markers to allow for a key retrieval or human identification without having to resort to fingerprints. As such, they are included in keys and certificates—their integrity is ensured by signatures also contained in the key or certificate. There is no limit to the number of User IDs a key or certificate can contain.

User IDs can be added to a key at any time; they don't have to be all present at the time of a key's generation.

User IDs are claims—anyone can create a key containing <alice@example.com> as a User ID and publish its certificate. How to validate the authenticity—the veracity and trustworthiness of the claim—is described in Authenticating certificates.

Removing a User ID from a key is complex. While it's technically possible to strip a User ID from a key, once the corresponding certificate has been distributed, it's impossible to recall them. The solution is to revoke the User ID, and the record of its revocation will stay in the key along with a revocation certificate. The revocation will also be included in certificates generated from that key, giving software processing these certificates a hint as to how to handle that User ID (such as ignoring it).