How to establish a company web-of-trust

[Neal Dudley]

Karl Voit wrote:
> Our communication partners have to check the signature of our
> employees keys and its up to our partners that they check from time
> to time wether there was a change in the relationship between our
> employees and out company key - I guess this is the most difficult
> part.

NO - education on using GPG will be the hardest part.  If your partners
understand using GPG, you're more than half way there.  Given that
knowledge changes things a bit.  Why not generate all the keys *for*
your employees - AND immediately generate revocation certificates.  If
someone leaves, simply send the revocation certificate to those that
conversed with that employee (and submit it to your keyserver).

> But we do not want to use S/MIME for several reasons and our
> communication partners already are using OpenPGP-messages. So this
> decision is already done by facts not by arguing. Although I share
> your point of view.

If I wasn't a proponent of GPG, would I be on this list? ;)

I'm impressed with the maturity of this mailing list.  Most lists would
have exploded into a religious war.  Really says something of the
caliber of the people on this list.

> Absolutely. I (as the person responsible for company security) have
> to check every key that I am signing with the company key. I have to
> explain the important issues of key management to my employees
> (non-it people for most of the part). I do this by giving exact
> instructions with screenshots of every step - WinPT is helping here
> because it is mouse-oriented :-)
...
> I know that there might be some pitfalls concerning employees that
> sign everything or make other mistakes that can have an influence on
> our web-of-trust. But the alternative is worse: plain text - oh
> sorry ... HTML-Emails without encrypting or signing at all. And this
> has to be considered as the default method in companies these days
> :-(

There are some options here.  You could use the expert mode in GPG when
generating their signing keys to remove the ability to certify with the
signing keys to restrict users a bit more.  Then they could sign
documents, but not keys (if I understand that correctly).  Or perhaps
signing and encryption subkeys would be appropriate?  That would
simplify things - one primary signing key to protect.

> 100-250 emplyees will be the target. But not all of them need GPG.

Only some of them need GPG? Ought to make your life a little easier. ;)

> Sure. But I guess that scripts is not user-friendly enough for my
> employees :-(

Depending on what you are using with/for the MUA to implement the
signing and encryption, you could use rules to simplify this for the users.