How to establish a company web-of-trust

[Karl Voit]

* Neal Dudley <neal.dudley at utoledo.edu> wrote:
> Karl Voit wrote:
>> Our communication partners have to check the signature of our
>> employees keys and its up to our partners that they check from time
>> to time wether there was a change in the relationship between our
>> employees and out company key - I guess this is the most difficult
>> part.
>
> NO - education on using GPG will be the hardest part.  

I was afraid of this sentence :-)

> If your partners
> understand using GPG, you're more than half way there.  

I can not assume on this. I am in the automotive business and most
of the employees here was studying Mechanical Engineering. So
IT-knowldedge is not their primary goal and most of them do not want
to learn IT although I try my best to enlight something ... :-)

> Given that
> knowledge changes things a bit.  Why not generate all the keys *for*
> your employees - AND immediately generate revocation certificates.  If
> someone leaves, simply send the revocation certificate to those that
> conversed with that employee (and submit it to your keyserver).

I thought of that too.

I have to admit, that I do not want to generate the keys by myself
because I am lazy and we do have four bureau buildings that make
physical meetings more difficult and sending keys over the Exchange
server is not quite ... good :-)

So I tried to generate a system where I can get the keys from the
keyservers and check them (correct key-id, added revoker, ...)
before signing.

>> But we do not want to use S/MIME for several reasons and our
>> communication partners already are using OpenPGP-messages. So this
>> decision is already done by facts not by arguing. Although I share
>> your point of view.
>
> If I wasn't a proponent of GPG, would I be on this list? ;)
>
> I'm impressed with the maturity of this mailing list.  Most lists would
> have exploded into a religious war.  Really says something of the
> caliber of the people on this list.

Sorry, this is my first thread on this list :-)

But usually flaming stops after some years working in the
real-world-IT-business. I am even working on Windows the whole day
(in the company)! =:-|      (made an attempt for a flamewar? *ggg*)

>> Absolutely. I (as the person responsible for company security) have
>> to check every key that I am signing with the company key. I have to
>> explain the important issues of key management to my employees
>> (non-it people for most of the part). I do this by giving exact
>> instructions with screenshots of every step - WinPT is helping here
>> because it is mouse-oriented :-)
> ...
>> I know that there might be some pitfalls concerning employees that
>> sign everything or make other mistakes that can have an influence on
>> our web-of-trust. But the alternative is worse: plain text - oh
>> sorry ... HTML-Emails without encrypting or signing at all. And this
>> has to be considered as the default method in companies these days
>> :-(
>
> There are some options here.  You could use the expert mode in GPG when
> generating their signing keys to remove the ability to certify with the
> signing keys to restrict users a bit more.  Then they could sign
> documents, but not keys (if I understand that correctly).  Or perhaps
> signing and encryption subkeys would be appropriate?  That would
> simplify things - one primary signing key to protect.

Wow, I did not knew that! I'll have a look at these options but I
guess I stick to the revoker-method (also because every day there
are more employees that need to use GnuPG right now and I do have a
stress in making all these decisions).

>> 100-250 emplyees will be the target. But not all of them need GPG.
>
> Only some of them need GPG? Ought to make your life a little easier. ;)

Make my life *possible*! :-)

>> Sure. But I guess that scripts is not user-friendly enough for my
>> employees :-(
>
> Depending on what you are using with/for the MUA to implement the
> signing and encryption, 

gpg4win: collection of Windows-tools like gnupg, WinPT (key-mgt),
GpGee (Windows-Explorer extension), ...

So I am using WinPT and the corresponding Outlook-plugin.

> you could use rules to simplify this for the users.

I try to do this by giving very detailed instructions with a lot of
screenshots on our local intranet webserver.

-- 
Karl Voit