gnupg in large scale at University

Thomas Widhalm widhalmt at unix.sbg.ac.at
Sun Dec 25 15:11:39 CET 2005


Am Samstag, 24. Dezember 2005 00:50 schrieb Henry Hertz Hobbit:
> Thomas Widhalm <widhalmt at unix.sbg.ac.at> wrote:
> > I already sent this email twice to this mailinglist, but it didn't
> > appear at  my mailserver, so I assume it didn't reach any of you.
> >
> > I just got in charge of managing Linux and Unix servers at the
> > University of Salzburg (Austria) and one of my first tasks is
> > to implement a secure way of  exchanging email and storing data.
> > Having a big affection to Free Software, I try to implement a
> > solution based upon gpg.
>
> Congratulations on getting the job.

Thanks. :-)

>
> > My biggest problem is, that our users have many different
> > mailclients, mostly MS Outlook connected to MS exchange.
> >
> > Maybe some of you could help me with some details:
> >
> > I need a plugin for Outlook which support gpg/MIME and
> > maybe inline gpg. (Not Gdata, this didn't work out)
>
> Others will give a much better answer to this question
> than I can.  However, having just said that, both Outlook
> and Outlook Express are HORRIBLE to work with (from more
> points of view than just encryption - Active-X, et al).

Yes, we think the same way... But unfortunately its not up to me to decide on 
our primary mail client. And as I remember, it was hard enough to switch from 
Eudora to Outlook, so I'm not too positive on changing again to soon.

> But if they must use Outlook, I would recommend the not
> for free PGP instead for Windows machines.  However if you
> must use GPG with Outlook then be aware it will be INLINE
> (also called clearsigning by some), not OpenPGP/MIME.  If
> you want to go that way, you can use either WinPT for
> Outlook Express, or g10code for Outlook.  WinPT will
> auto-install the Outlook Express plugin.  You can get
> WinPT at:
>
> http://www.stud.uni-hannover.de/~twoaday/winpt.html
>
> You can get g10code (sponsored by the German government) at:
>
> http://www.g10code.com/

Ah! I used both of them, but I lost the link to g10 (and the name, so I 
couldn't google). Thanks a lot!

>
> My advice is that if you aren't boiler-plated, welded,
> and totally unable to use anything other than Outlook
> or Outlook Express is to go freebie whole hog and
> install Thunderbird on EVERYTHING you can.  You will
> also need the Enigmail plugin (one piece of advice,
> install Enigmail in each user's account, NOT in the
> Thunderbird executable area itself on Linux).  Here
> are the URLs for that approach:

I, for myself use Thunderbird on any Windows PC I have to use. But 
unfortunately many of our users are rather fixated to Outlook.

>
> http://www.mozilla.com/thunderbird/
> http://enigmail.mozdev.org/
>
> > I think it would be a good idea to create a CA. How to
> > achieve that? How to keep the key save? Is just one person
> > the CA, or a bunch of people? What if someone leaves us?
> > What if an employee leaves, loses his email address but
> > still has a signature. Should we revoke it?
>
> I take a dim view of that.  Each person should be responsible
> for his / her own keys.  Putting up a web page showing them how
> to create, manage, and PROTECT their own keys is more in line.
> On that subject, every time I hear the person leaving routine
> (usually for software projects that a large group is working on),
> there is only ONE solution.  YOU CREATE A FICTITIOUS PERSON!  No,
> I am not a fictitious person (unless a Turing machine gets colds
> and Pneumonia which I have right now).  Henry Hertz Hobbit has
> been my net name for almost ten years.  For Unix perms, that person
> is the group leader for the shared files, etc.  You can have a
> complete replacement of everybody working on the project, as
> long as there is some sort of continuity to passing the control
> to new people as the old ones leave.  Just remember to have the
> new care taker of the of the fictitious person to change the
> passphrases for the fictitious user IMMEDIATELY after they assume
> guardianship for the account.  Also make sure they are dependable
> and reliable.  But when it comes to OpenPGP keys, exporting and
> importing the ones you need is an INDIVIDUAL proposition.  Teach
> the users how to handle it themselves.  They are the ONLY ones
> that knows what keys they need and use.  And they are the ONLY
> ones that should know their secret key's passphrase! I DO NOT
> WANT TO KNOW IT!  We achieve greater security if we do NOT know
> other people's passphrases.

Ok, we think the same way for many details. I would rather cut off my right 
ear but to know the passphrase of one of our users. ;-)
I would create a key for our department to sign the users keys. And this would 
available only to some special administrators. e.g. those who know the root 
passwords of the domain controllers or mailservers. 

>
> > Is it possible/useful to create an own keyserver which
> > synchronises with the official ones? How to do that?
>
> Sure, it is possible.  Search the archives and you will find
> answers to all of your questions on this topic.  The problem
> is, how much time do you have to invest on this project?  It
> sounds to me like your plate is fairly full as it is.

Well it is. But creating this possibility is a mixture of low priority task 
for my employer and a hobby to me. So I will take some time for creating 
this. First I need a simple and easy to use solution for encrypting and 
signing mails and single files. Bigger tasks like own SSL certificates, etc. 
will follow but are not on my schedule for now.

>
> > I have some ideas, but need more input. Maybe some of you
> > could help me out.
>
> Well, you got it, but without knowing all the intricacies
> and the desires of the school, I don't know what to say.
> For example, there are frequently both school and government
> policies relating to the keeping of email. Most companies
> say the email belongs to them, but schools are different.
> This gets real messy since they will say the keys also
> belongs to them, but I would NEVER want somebody else having
> access to my secret keys, NOR knowing the passphrases for
> them. There are some people that don't want encryption, but do
> need to ascertain that a message REALLY came from another
> person (before replying to the interloper who is pretending
> to be them).  Also, there are laws concerning the safe
> guarding of medical information in many countries.  If
> that is the case, THESE ARE THE PEOPLE YOU WORK WITH FIRST
> (and refine your web instructions before deploying it more
> widely) and you will expand out from there.  Spend some time
> analyzing what they need from a HUMAN standpoint, and create
> and use your own keys FIRST.  I will send you more information
> privately.

I will write howtos and make tutorials and maybe even some short courses for 
the users. So everyone who wants to join is able to and knows about what 
he/she is doing. This includes that using this possibilities will be a choice 
of them and not obligatory. 

Thanks for your other mail.

>
> Henry Hertz Hobbit
Regards,
Thomas
>
>
> __________________________________________________________________
> Switch to Netscape Internet Service.
> As low as $9.95 a month -- Sign up today at
> http://isp.netscape.com/register
>
> Netscape. Just the Net You Need.
>
> New! Netscape Toolbar for Internet Explorer
> Search from anywhere on the Web and block those annoying pop-ups.
> Download now at http://channels.netscape.com/ns/search/install.jsp

-- 
*****************************************************************
* Thomas Widhalm                             Unix Administrator *
* University of Salzburg                     IT- Services (ITS) *
* Systems Management                               Unix Systems *
* Hellbrunnerstr. 34                     5020 Salzburg, Austria *
* widhalmt at unix.sbg.ac.at                     +43/662/8044-6774 *
* gpg: 6265BAE6                                                 *
* http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm *
*****************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051225/36dad08e/attachment.pgp


More information about the Gnupg-users mailing list