Corporate use of gnupg

[Alan Olsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


>From:  Nicholas Cole
>Sent: Tuesday, February 19, 2008 6:54 AM
>To: gnupg-users at gnupg.org
>Subject: Re: Corporate use of gnupg


>On Tue, Feb 19, 2008 at 1:23 PM, David Picón Álvarez <david at miradoiro.com> wrote:
>> > I know that ADK can be circumvented by a determined attacker, but it
>>  > strikes me as a useful feature, and I have never quite understood 
>> the  > opposition to it.  It would have made encryption more palatable 
>> in  > corporate settings, which surely would have been a good thing!
>>
>>  IMO there are two possibilities: 1) your users are forgetful but 
>> honest, 2)  your users are dishonest.
>>
>>  For case 1, an equivalent of ADK can be obtained with a line on GPG's  
>> configuration file.
>>
>>  For case 2, you are screwed, and ADK is only going to give you a 
>> false sense  of security.
>>
>>  Thus ADK is either pointless or unnecessary.

>This just simply isn't true.

>Putting a line in a config file may be fine for internal mail, but does nothing to help you to be able to decrypt mail sent from outside your organisation.  >It also locks everyone into using gpg - I thought the whole point of gpg / opengpg was to be inter-operative.

>Secondly, there might be any number of reasons why a user might not be able to give you access to a key.  He might be incompetent, he might be unexpectedly >ill or worse.  And so on, and so forth.

>But my real point is this: gpg in most areas says "This is a tool. Your threat models will vary, and we give you a tool which you can deploy".  But in the >area of ADK, even when for years people have said on this list and elsewhere, "ADK would help with the threat/organizational model we have", GPG refuses to >help.  "alter your config file" solves (at best) half of the problem.

>There may be very good technical reasons why ADKs are a bad idea, but I've never seen them explained.  There was, I know, an attack on PGP which relied 
>upon them a while ago, but IIRC that bug was easily fixed.

Someone else brought up the issue of the technique being patented.  (Seems like a pretty obvious idea, but so are most software patents.)

In a corporate setting, you really just want key escrow.  Have a "official" company signing key.  When new employees come on board, they are issued a PGP/GPG key that is signed and the secret key data is copied to non-volitile media and stored in a safe.  It is only available under restricted circumstances (to prevent managers from exploiting the keys for their own gain).  It also gives some authenticity to the key by having some sort of web of trust internally.  Something like this takes manpower and time to manage, but so does manageing employee keycards and other authorization data.

Not that I have ever seen a company that does this.  Even companies that make heavy use of encryption do not seem to have anyone at a mamagement level that understands how it needs to be managed.
  

-----BEGIN PGP SIGNATURE-----
Version: 9.5.3 (Build 5003)

wsBVAwUBR7sUEWqdmbpu7ejzAQo+CQf/apv9Vb0gI8fpaURwxyXJlxcJCNfOcnMU
WwBQxdL0p2v6H+H8OMf+seAMixmoNl9EzT3NMalmdISP6H9g0656Fte+IemawBOj
N0gPB/i2FqmbgW7XlEaULl8LTqwBKfZ9VCqas/HC+ur4q1BrcgHOmlp939R+9fdC
u+ByXAF+bdLAwKMoRj5+rCLZ8UV1YYPe8mKIVIlVp4O62iLRENpPtFDF8hYJMO3O
3YSZ/L/+Gq8wjfB690ufhMs2Lvb3QF+8rFx2jsopEPVAedjKjtKq/1h3KbXql6//
VrtGCkMM3wmxDkdRDmAwMhNMSyo5TPoeA1VITRQAoc2IR/MzxBrAmg==
=8YBw
-----END PGP SIGNATURE-----