How to establish a company web-of-trust
Karl Voit
devnull at Karl-Voit.at
Mon Mar 17 21:11:30 CET 2008
* David Shaw <dshaw at jabberwocky.com> wrote:
>>
>> So my current attempt is: the employee has to add the company key as
>> a revoker and then export it to the keyserver. So the company key is
>> able to revoke any employees key.
>
> Note that those methods are only useful so long as the communication
> partner gets the key from your company (a web page, a company
> keyserver, or the like), and not from a public keyserver or from the
> employee. The reason for this is that keys or signatures can be
> 'unrevoked' by a malicious 3rd party (who may or may not be the
> employee).
The official public key from our company is on our company website.
Thanks for the hint I forgot to mention.
So either with revoking the signature or (or better "and") revoking
the key with the "add revoker"-method, the concept is OK. Right?
I don't want to get into any troubles in future because I forgot
some issue I did not thought of ... :-)
--
Karl Voit
More information about the Gnupg-users
mailing list