Suggestion: Coporate keyrings.

Anthony E. Greene agreene@pobox.com
Mon May 13 14:42:02 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13-May-2002/08:38 -0000, "Brenno J.S.A.A.F. de Winter" <brenno@dewinter.com> wrote:
>> Why not have a corporate key. The admin signs the keys he has verified,
>> the user trusts this corporate key signing key, and so automatically he
>> trusts all keys in the corporation.
>Nope my idea went a little bit further. Also non-corporate users could be
>verified (for instance: support@our-partner.companyxxx.com). Beside that
>having a corporate key has some practical problems like passphrases and so.
>The thing is that we should sign and work as persons, but might want to share
>the infrastructure. I thought of this myself, but found corporate keys to be
>tricky.

I think you misunderstood the answer. The "corporate key" is not used by
everyone. It is used by a sysadmin to sign employees' individual keys.
Employees' GnuPG would be setup to trust the corporate key-signing key so
that any individual key signed by the corporate key would automatically be
valid to all employees.

There is no built-in limitation on what keys could be verified. Internal
as well as external keys could be verified. The corporate *key-signing*
key could have very limited access and need not even be exposed to the
network. Keys could be signed on a standalone machine and transferred via
CDROM to the keyserver.

The corporation might have other keys, but having one just for keysigning
would allow for strong and simple security measures to be applied.


Tony
- -- 
Anthony E. Greene <mailto:agreene@pobox.com>
OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D
AOL/Yahoo Chat: TonyG05         HomePage: <http://www.pobox.com/~agreene/>
Linux. The choice of a GNU generation <http://www.linux.org/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Anthony E. Greene <mailto:agreene@pobox.com> 0x6C94239D

iD8DBQE837S5pCpg3WyUI50RAoLTAJ0cPwq7w0ZmfgSiqZSJOPMq8pthAQCeLxFL
6HhyUVIWpVNVueWBTUY8jpo=
=QviT
-----END PGP SIGNATURE-----