gnupg in large scale at University

zvrba at zvrba at
Fri Dec 23 22:01:19 CET 2005

Hash: RIPEMD160

On Fri, Dec 23, 2005 at 09:32:28PM +0100, zvrba at wrote:
> I would rank the initial setup effort as 2, 1, 3, 4.
To followup on myself...

All your users will have to import your root certificate to stop SW
from complaining about unknown root cert (but they'd have to do that
with you GPG root cert anyway)

AFAIR, Verisign (and possibly other CAs) offer "hosted PKI", or
"managed PKI" (these two are NOT equivalent), but I have no clue about
the price. If you really have strict security requirements, you might
go down that route.

Look at e.g.
(the difference between hosted and managed is that in hosted you have
your own, dedicated servers..) They are charging by the number of
"seats" in use.

Final words from me: running a PKI for a large organization is a COMPLEX
business. Don't make an immediate decision but create several toy CAs in
different ways (both X.509 and OpenPGP), and try to:

- - issue certificate to several users (multiple certs for the SAME user,
  on different email addresses)
- - revoke one particular certificate (e.g. one tied to particular email)
- - play with CRL checking
- - actually USE those certs on all platforms in question to see how much
  of a hassle it will be to less technical users

And one important question: how are you going to disambiguate users with
identical names (e.g. are you going to require a unique email address?). What
about shared email addresses? etc...

and do MUCH reading while doing this. IMO, what you're trying to do
requires serious preparation.. you should play with all of the above
possibilities and READ during that time for at least a month before making
ANY kind of decision. once you give your users PKI, they'll start coming
up with the strangest ideas.. many of them you will flat-out reject, but
some of them will be legitimate requests and can catch you unprepared..

Version: GnuPG v1.4.1 (GNU/Linux)


More information about the Gnupg-users mailing list