Corporate use of gnupg
Sven Radde
email at sven-radde.de
Tue Feb 19 14:57:57 CET 2008
David Shaw schrieb:
>> Looks like this is ADK. Is there any way to do this on gpg?
>>
> Yes. Put "encrypt-to (the-adk-key)" in everyone's gpg.conf.
I thought that ADKs would work whenever encrypting to a key with that
feature enabled (i.e. also for incoming emails)? I.e. it is per-key and
not a per-user setting?
Of course, for outgoing mail you'd still need the additional encrypt-to
(unless you regularly encrypt to your own key which would have the ADK).
Furthermore, PGP has this fascinating key-splitting options that allow
you to distribute shares of a secret key to a group and define how many
shares would be necessary to conduct secret-key operations. There, you
would actually have "the math" ensuring that the boss can read the email.
This would allow advances schemes like: "Either the original owner alone
or the boss in cooperation with the company's notary public can decrypt
mail."
Or, leaving ADK-related use-cases aside, "3 of 5 board members are
required to approve an order by digitally signing it."
It seems that GnuPG has no capability to ensure decrypt-ability for
incoming encrypted data, apart from outright key-escrow.
It has been a while since I was last using the commercial PGPs, and I
could remember falsely.
So, feel free to correct me if I'm wrong (in particular, I have no idea
whether these features are still present in recent (freeware) versions).
cu, Sven
More information about the Gnupg-users
mailing list