GnuPG for a small company -- Questions before I start

[Jim Berland]

Hello everybody,

I am going to try to set up GPG for our small company (about 15
people) and would like to ask you guys for some help. Following I will
write down my thoughts on this, that I had so far. Comments would be
highly appreciated since I do not want to start this before I don't
feel confident and have a complete plan.


So I am thinking that each co-worker needs his/her own key (signing
and encryption subkeys) with the main key held back by the company.
That way they cannot sign other keys, a lost password wouldn't be a
problem and all emails would still be decryptable if necessary.

I understand concerns at this point, but I think it is reasonable, if
employees are taught about the situation. The keys are to be used
professionally only and I am going to offer my help if people become
interested in having GPG for private use. We have, by the way, the
means to store the main keys very safely.

To have an internal Web-of-Trust there should be a main key (for the
company itself) signing the employee's keys and collecting their
signatures.

This far, I think, this is a good system for company-internal
encryption. Following are my questions that arise when I think about
using GPG with the outside world.


Other companies should be able to trust the signatures of our
employees. I was thinking that it should be all about the main key, so
that somebody can trust a new contact from our side immediately,
because that new key is also signed by the trusted main key.

But how to make the main key a trustworthy one? The way of spreading
the key personally when representatives visit other companies is
unrealistic. The best thing I could find is to join the CACert.org
Web-of-Trust.

A Web-of-Trust of companies, that do business with each other, is
surely not desirable since their relations are going to be public on a
key server. While it's easy to prevent unwanted signing on our side
(crippled keys), what is the best solution (to try) to ensure, that
the main key or any other of the company's keys are not signed by
somebody else? There is no technical solution for this, so I wonder
how others deal with this. All I can think of is a policy website.

Does somebody have information or experiences with any of these problems?


Thank you very much for your help


P.S.: I never came into contact with certificates like the ones from
Thawte or CACert.org before and I don't know anybody who uses them.
Considering the problems I see with GPG for this task, though, I
wonder if certificates would do the job better or easier. Is this even
the way other companies are going?