How to establish a company web-of-trust

David Shaw dshaw at jabberwocky.com
Mon Mar 17 18:22:09 CET 2008


On Mon, Mar 17, 2008 at 05:23:39PM +0100, Karl Voit wrote:
> * Karl Voit <devnull at Karl-Voit.at> wrote:
> >
> > I want to establish secure email communication in our company
> > (Windows, Outlook, gpg4win). I do not want to maintain a keyserver
> > by myself.
> >
> > My attempt: every employee generates his own keypair and exports the
> > public key to a keyserver. I as the admin downloads his key from the
> > server, compares the ID with the employee and signs the key with the
> > "central company key".
> >
> > Any communication partner can check, wether the key of the employee
> > was signed by our official "company key" which is downloadable from
> > our web site.
> >
> > So far so good - I think.
> >
> > But: what if an employee quits the company? Can I revoke the
> > signature? WinPT (as a key management frontend) does not seem to
> > provide this feature.
> 
> I just found out that WinPT does not provide all options that gpg
> (command line version) provides :-(
> 
> So my current attempt is: the employee has to add the company key as
> a revoker and then export it to the keyserver. So the company key is
> able to revoke any employees key.

Note that those methods are only useful so long as the communication
partner gets the key from your company (a web page, a company
keyserver, or the like), and not from a public keyserver or from the
employee.  The reason for this is that keys or signatures can be
'unrevoked' by a malicious 3rd party (who may or may not be the
employee).

David



More information about the Gnupg-users mailing list