GnuPG for a small company -- Questions before I start

[Zeljko Vrba]

"Jim Berland" <berland at gmail.com> writes:

>
> There are other flaws in the computer system that would have to be
> addressed (a secretary has root access to the server to let her start
> the daily backup process after work), but I'm not in charge of that. I
>
Huh?  That requires only a single suid-root command.

>
> Since I'm going through the trouble of setting everything up and
> teaching our employees, though, it would be great to also use GPG with
> business partners. I don't think it's really going to happen, but
>
If you want secure communication with your partners, you might have better
luck with X.509 certificates.  They "just work" under windows.  The only
needed initial setup is import of the root certificate.  Free certificates
are available from www.cacert.org

The advantage of X.509 is that it's rooted trust model, ie. a key cannot have
multiple signatures (you expressed that as a concern earlier; signatures can
be used to infer relationships).  If you and you partners use a common neutral
CA, such as cacert.org, no such relationship can be inferred.  Plus, X.509
certificates have capabilities (KeyUsage field, such as signature and
encryption) which distinguish normal signing and key signing.  User
certificates do not have the "KeySign" capability turned on.

Yes, an employee can still use "normal" (w/o KeySign capability) certificate
to issue another certificate.  However, standard-conforming software such as
OpenSSL will a) not allow such issuance to be made [in effect, one has to code
own CA which disregards key usage policies], and b) trust chain will be
rejected by standard software [eg OpenSSL and Windows CryptoAPI; these are
much harder to "convince" in alternate verification strategies, if possible at
all with CryptoAPI].