GnuPG for a small company -- Questions before I start

[Janusz A. Urbanowicz]

On Wed, May 16, 2007 at 08:08:02PM +0800, Jim Berland wrote:
> Hello everybody,
> 
> I am going to try to set up GPG for our small company (about 15
> people) and would like to ask you guys for some help. Following I will
> write down my thoughts on this, that I had so far. Comments would be
> highly appreciated since I do not want to start this before I don't
> feel confident and have a complete plan.

First, you should elaborate what is the purpose of the exercise. The
business goal. There is no point of deploying crypto policy in an
organization just for the sake of it, because people will see this as
a unnecessary and pointless exercise.
 
> To have an internal Web-of-Trust there should be a main key (for the
> company itself) signing the employee's keys and collecting their
> signatures.

When I did similar things the setup was as follows:

* there is one well-guarded organization key (org key)
* every person involved has a key signed by the org key
* people keys have designated-revoker set to org key
* all OpenPGP software installation have:
** mandatory encrypt-to org key
** ultimate trust for the org key

If you don't want people to sign keys, issue them encryption-only keypairs.

But this is quite generic setup and we could help you more if we knew
what you're trying to accomplish.

Alex
-- 
JID: alex at hell.pl
PGP: 0x46399138
od zwracania uwagi na detale są lekarze, adwokaci, programiści i zegarmistrze
 -- Czerski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070517/8377f080/attachment.pgp