web of trust vs subkeys use cases

Adrian von Bidder avbidder@fortytwo.ch
Tue Sep 24 16:25:02 2002


--=-VZNaapaaQyBXOIAimIUE
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2002-09-24 at 15:17, David Shaw wrote:
> On Tue, Sep 24, 2002 at 02:41:25PM +0200, Tiago Antao wrote:
> > Hi!
> >=20
> >=20
> > What would be the best way to deal with this scenario:
> > We have a department of people that has to sign messages, each person=20
> > should have a different key, but the key should not be accepted after=20
> > the person goes away. For that we need to know if a key is trusted or=20
> > not. Is it better subkeys (its a small group so it can be manually=20
> > maintained) or using the mechanisms for a "web of trust"? If we used=20
> > subkeys, each person would have a subkey of a master key, and somebody=20
> > would maintain the master.
>=20
> I think that each person using a different subkey can quickly become
> very difficult to manage.  I recommend using the web of trust.  Create
> a "keymaster" key, which can then sign all of the individual keys in
> use. [...]

I share this opinion, not only because it's hard to manage (probably you
could deal with this as it's a small group), but also because this
master key will grow very big as the group changes (all the revoked
subkeys).

For those verifying the messages, you can still put all the relevant
keys in one file (gpg --export <list of keyids>), so importing the keys
can be done with one command as with one key.

cheers
-- vbi

--=20
secure email with gpg                           http://fortytwo.ch/gpg

NOTICE: subkey signature! request key 92082481 from keyserver.kjsl.com

--=-VZNaapaaQyBXOIAimIUE
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iEYEABECAAYFAj2QdggACgkQKqpm2L3fmXqtLwCePKUdChnpJshhEpBgB43uvuex
Q3YAoLogkKUv8Jtie9Ny75GKPvbZ0KI6
=KWaL
-----END PGP SIGNATURE-----

--=-VZNaapaaQyBXOIAimIUE--