[sabedevops]

I've struggled with PGP with the idea that I can't quite express "I'm signing as this specific User ID by using this specific signing subkey"... The only way I've found to reliably express that is to maintain completely separate keys. Is there anything in the works to give ergonomics around this?

[lrvick]

You should only be signing other peoples keys with your master key which should never touch an internet connected operating system. Subkeys should have limited privileges and be easy to lose or rotate as needed, but can all live under the same master offline identity key, which acts like a personal CA.