Deploying GnuPG into University Administration

David Shaw
Thu Jan 9 16:15:03 2003

On Thu, Jan 09, 2003 at 12:13:41PM +0100, Daniel Luebke wrote:

> That should be no problem but there's one question, where I'm not quite
> sure, what to say: Since I only used gnupg in private environments, I
> don't know how to centrally manage about 30 keys.
> 1. In my imagination there should be a central certification key which
> is used by the IT departement to sign all keys for the users.
> 2. The users should then fully trust that key, so that they needn't sign
> all keys of all employees.
> 3. The keyring should be centrally updatedable.
> My question how to achieve this. To create a central certification key
> is no problem and the administrators could modify the log on or user
> creation scripts accordingly, so that the central key is stored in the
> keyring and full ownertrust is set.
> But how to centrally manage all keys? One could create a central
> read-only keyring, which is used by gnupg where all employees' keys are
> stored or one could set up a keyserver?!

A keyserver can definitely handle this.  There are a handful of
different keyservers available, each with advantages and
disadvantages.  The two main ones are: is the "classic" keyserver that
runs  It has some bugs, but basically works for
common key types.... and totally mangles some other types.

PGP, Inc. has a LDAP-based keyserver that has some features that makes
your particular use easier (users submit their keys, the keyserver
detects that they are not signed and automatically puts them on hold
so they can be signed).  This keyserver is not free (money) or free

Ask around on the keyserver operators mailing list
(, and you'll hear about some other
keyservers you can use.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson