GnuPG for a small company -- Questions before I start

Jim Berland berland at gmail.com
Sun May 20 14:50:27 CEST 2007


Hi Alex

On 5/17/07, Janusz A. Urbanowicz <alex at bofh.net.pl> wrote:

> > Hello everybody,
> >
> > I am going to try to set up GPG for our small company (about 15
> > people) and would like to ask you guys for some help. Following I will
> > write down my thoughts on this, that I had so far. Comments would be
> > highly appreciated since I do not want to start this before I don't
> > feel confident and have a complete plan.
>
> First, you should elaborate what is the purpose of the exercise. The
> business goal. There is no point of deploying crypto policy in an
> organization just for the sake of it, because people will see this as
> a unnecessary and pointless exercise.
>
The main goal is to prevent employees from eavesdropping on each
other, since we had cases of stolen information. But even without a
motivation like that, I think encrypted email should be set up where
possible.

There are other flaws in the computer system that would have to be
addressed (a secretary has root access to the server to let her start
the daily backup process after work), but I'm not in charge of that. I
only want to offer my help for a GPG solution, that would help a lot
in that enviroment.

I might ask some questions related to smartcards soon, that I believe
to be a good idea there, if I cannot figure everything out by myself.
I am going through the mailing list archives right now.

So the goal is to secure email communication between our employees and
I think I am able to set this up now. The setup you describe is very
similar to what I'm thinking of and thus confirms my ideas.

Since I'm going through the trouble of setting everything up and
teaching our employees, though, it would be great to also use GPG with
business partners. I don't think it's really going to happen, but
being ready for it would be a good idea. Especially since we could use
GPG to sign emails and maybe raise some interest.

In the case of communication with others, I want to use GPG to encrypt
and sign messages to proof the identity of the sender.

> > To have an internal Web-of-Trust there should be a main key (for the
> > company itself) signing the employee's keys and collecting their
> > signatures.
>
> When I did similar things the setup was as follows:
>
> * there is one well-guarded organization key (org key)
> * every person involved has a key signed by the org key
> * people keys have designated-revoker set to org key
> * all OpenPGP software installation have:
> ** mandatory encrypt-to org key
> ** ultimate trust for the org key
>
> If you don't want people to sign keys, issue them encryption-only keypairs.
>
It would be nice if you could write something about how GPG was used
with outsiders in those cases. For example:

Do you sign the other company's employee's keys and exchange them or
do you only local sign them? In case the other company has an org key,
too, do you sign and exchange it or only lsign it?

Do you publish the org key to enable others to set a trust level, that
allows them to automatically trust the employee's keys signed by it?

> But this is quite generic setup and we could help you more if we knew
> what you're trying to accomplish.
>
I didn't tell you much new in this email, I'm afraid, but I really
don't know what else to mention. Sorry for that.

Thank you very much for your help!



More information about the Gnupg-users mailing list