Suggestion: Coporate keyrings.
Brenno J.S.A.A.F. de Winter
Sun May 12 23:42:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
The last couple of days I had some thoughts that I'd like to share with
you. Currently GnuPG is only focussed around an individual user, which
is logic since that's the OpenPGP spec. If I think about deployment in
businesses another model ought to be considered as well. Address-lists
in general are personal and that makes automatically keyrings also
personal. Within businesses it's common practice to have an e-mail list
for an entire organization. Keyservers will help us somewhat in
obtaining public keys. Those keys are not verified and fingerprints
still have to be exchanged.
My suggestion is following: Let's build a system that supports corporate
keyrings. An administrator can verify the keys and set a trust. The
local GnuPG could access that keylist and rely on it's trust. Such a
thing would be a setting in GnuPG. GnuPG communicates with the
keyserver. The exchange model has to be secure as well, so that spoofing
and other abuse isn't too easy to do (a keyset on the server could play
an important role to sign the transmissions).
If I'm not totally of track I would say that the majority of
functionality is available already so that change may sound shocking,
but might be relatively easy to implement. However the benefits could be
huge. I'm curious on how the community reacts to this suggestion ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----