How to establish a company web-of-trust

Karl Voit devnull at
Mon Mar 17 21:11:30 CET 2008

* David Shaw <dshaw at> wrote:
>> So my current attempt is: the employee has to add the company key as
>> a revoker and then export it to the keyserver. So the company key is
>> able to revoke any employees key.
> Note that those methods are only useful so long as the communication
> partner gets the key from your company (a web page, a company
> keyserver, or the like), and not from a public keyserver or from the
> employee.  The reason for this is that keys or signatures can be
> 'unrevoked' by a malicious 3rd party (who may or may not be the
> employee).

The official public key from our company is on our company website.

Thanks for the hint I forgot to mention.

So either with revoking the signature or (or better "and") revoking
the key with the "add revoker"-method, the concept is OK. Right?

I don't want to get into any troubles in future because I forgot
some issue I did not thought of ... :-)

Karl Voit

More information about the Gnupg-users mailing list