Deploying GnuPG into University Administration

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Thu Jan 9 16:01:03 2003


--=-a5aBpzXhjIVVKxDWIp88
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2003-01-09 at 14:24, darren chamberlain wrote:

> > That should be no problem but there's one question, where I'm not quite
> > sure, what to say: Since I only used gnupg in private environments, I
> > don't know how to centrally manage about 30 keys.
>=20
> You could probably get keyserver software and run an internal keyserver.
> I think keyservers do all the things that you've outlined.

Except distributing trust information.

I think for a relatively small and homogenous group (assuming a central
file server is available) a central keyring is probably easier to
maintain.

Distributing trust information: hmmm. Yes, distributing a default
trustdb or trust setting in the default gnupg.conf on account creation
is probably the only way, however, it strikes seems quite fragile: how
about existing users? How about the certification key changing? This
problem definitely is unsolved in the OpenGPG world (and, I feel, badly
solved in the X.509 world. I can not think of a generic solution ever
being implemented - trust is something everybody has to decide for
themselves.)

Oh, you could do this: create a key generation script for your people.
This would
 - generate the key
 - publish the send the public key to the keyring manager
 - 'as froce as possible' the people to make a backup and create an
emergency revocation cert
 - lsign (or even exportable sign?) the cert key, and set ownertrust
 - depending on your site policy, probably additional things could be
done like adding a dedicated revocation key, or submitting the
revocation cert to the central authority, or submitting a password-less
copy of the secret key to the authority or other evil things (probably
not necessary in an academical context).

I think with this script available and key distribution solved, you
avoid most problems. Biggest problem (in terms of actual time spent)
will be users who have forgotten their password and users complaining
that they can't verify some signatures or who don't know how to use
their software.

WARNING: I have no experience with such things whatsoever.

cheers
-- vbi

--=20
What's the matter with the world?  Why, there ain't but one thing wrong
with every one of us -- and that's "selfishness."
		-- The Best of Will Rogers

--=-a5aBpzXhjIVVKxDWIp88
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iHMEABECADMFAj4djvQsGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjIACgkQi6Qxi+Wn99aXsQCeN3+0cmkjthUShY0lH4RV1yfaAxoA
oOUTXm6VLorJrhgPRR6wQCUP/5NX
=o5vG
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822

--=-a5aBpzXhjIVVKxDWIp88--