unfortunately, you can't predict their behavior, and if you change encryption keys more often than signature keys, they'll load the newest encryption key last.
Actually, the most recently-added key will be the one that is used.. So updating your encryption key works fine, since the most recent encryption key will be on top, and hense used first.
For the problem that started this discussion, though, there's no good solution. Since the Bad Guys _can_ encrypt a message to you with your signature key, and send it to you by anonymous remailer, they can plant a reason to suspect that you may have evidence encrypted with that key.
True.. To get around this problem you need the concept of a two-key certificate... However a rogue user could still use the signature key to encrypt, so I'm not sure that even this would help the problem. -derek