Corporate use of gnupg
Max Allan
max.allan at nbs.co.uk
Thu Feb 14 12:09:24 CET 2008
You're cracking the wrong nut. We've concluded : You can't enforce everyone to ensure their email is decryptable.
So the solution is to make sure they don't get encrypted email.
Use GPG at a gateway level and deny any internal mail that can't be decrypted. This is the way PGPU can work. All internal users'
keys are stored on the PGPU server, users don't need to know their passwords or anything about their keys. The server decrypts or
encrypts as required. All traffic on your local network is in the clear.
We used to have a TFS server doing something similar using GPG. (you need to buy TFS, I don't know if there is a free solution out
there)
Of course if your encryption policy is designed to prevent colleagues reading each others email, then this doesn't work. But if
people can access each others mailboxes, you've got a different problem (with file permissions)!
If it's too many people with root/administrator account that can read everyone's mail causing fear, then move the mail server to a
new, more secure box and only one person has the password (probably you should have sudo or similar setup so you can do admin
tasks).
Max
> -----Original Message-----
> From: gnupg-users-bounces at gnupg.org
> [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Robert J. Hansen
> Sent: 14 February 2008 05:24
> To: gnupg-users at gnupg.org
> Subject: Re: Corporate use of gnupg
>
> Quoting gnupg at ethen.de:
> > And what do they want to do with the recieved emails? The only
> > possibility I see is to put everyone's private keys and
> passowrds into
> > a safe - then you can decrypt sent and received mail later.
>
> Same problem exists with PGP's ADK feature, which should
> really be named an ARR, for Additional Recipient Request.
> While ADK usage can be enforced within the ADK-using group
> (mostly: there are some caveats), emails from outside the
> group going in to the group are under no such restrictions.
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20080214/eb03b466/attachment.pgp>
More information about the Gnupg-users
mailing list