[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: Enterprise Key Management?
From: Nicholas Cole <nicholas.cole () gmail ! com>
Date: 2013-03-18 10:24:32
Message-ID: CAAu18hdsTJecWVL=s6G1qABwyGtqmgzd=XDu9N-+0zkpfaU_zg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Mon, Mar 18, 2013 at 9:14 AM, Werner Koch <wk@gnupg.org> wrote:
> On Sat, 16 Mar 2013 12:36, abel@guardianproject.info said:
>
> > This seems like a better application of S/MIME as it, by design, is
> > centralized in the manner you describe.
>
> Hwever, with S/MIME you can _only_ do a centralized key management.
> OpenPGP allows to implement an arbitrary key management policy.
>
> The OP mentioned signing subkeys. This could for example be used to
> allow several employees to sign data using the same key and the
> recipient will notice a valid signature with a published fingerprint
> from the company. A closer inspection would reveal which subkey has
> been used for signing and this can be used for internal audit processes
> (similar to the QA labels with an employer number on all kind of
> products). Revocation of a certain subkey would also be pretty easy. I
> assume this would easily scale to new dozen subkeys.
>
It's clever. Given careful management / dissemination it would allow a
group to share an encryption key but have separate signing key. I don't
know if any software exists that operates in this way.
I do wonder if what the poster really meant, however, is not "subkeys" per
se but Trust-Signature certified keys.
I guess what is needed for most enterprise use is a system where the
company generates employee's keys and keeps a copy of them.
N.
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, \
Mar 18, 2013 at 9:14 AM, Werner Koch <span dir="ltr"><<a \
href="mailto:wk@gnupg.org" target="_blank">wk@gnupg.org</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="im">On Sat, 16 Mar 2013 12:36, <a \
href="mailto:abel@guardianproject.info">abel@guardianproject.info</a> said:<br>
<br>
> This seems like a better application of S/MIME as it, by design, is<br>
> centralized in the manner you describe.<br>
<br>
</div>Hwever, with S/MIME you can _only_ do a centralized key management.<br>
OpenPGP allows to implement an arbitrary key management policy.<br>
<br>
The OP mentioned signing subkeys. This could for example be used to<br>
allow several employees to sign data using the same key and the<br>
recipient will notice a valid signature with a published fingerprint<br>
from the company. A closer inspection would reveal which subkey has<br>
been used for signing and this can be used for internal audit processes<br>
(similar to the QA labels with an employer number on all kind of<br>
products). Revocation of a certain subkey would also be pretty easy. I<br>
assume this would easily scale to new dozen \
subkeys.<br></blockquote><div><br></div><div style>It's clever. Given careful \
management / dissemination it would allow a group to share an encryption key but have \
separate signing key. I don't know if any software exists that operates in this \
way.</div> <div style><br></div><div style>I do wonder if what the poster really \
meant, however, is not "subkeys" per se but Trust-Signature certified \
keys.</div><div style><br></div><div style>I guess what is needed for most enterprise \
use is a system where the company generates employee's keys and keeps a copy of \
them.</div> <div style><br></div><div style>N. </div></div></div></div>
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic