How to establish a company web-of-trust

David Shaw dshaw at jabberwocky.com
Mon Mar 17 22:06:17 CET 2008


On Mon, Mar 17, 2008 at 09:11:30PM +0100, Karl Voit wrote:
> * David Shaw <dshaw at jabberwocky.com> wrote:
> >> 
> >> So my current attempt is: the employee has to add the company key as
> >> a revoker and then export it to the keyserver. So the company key is
> >> able to revoke any employees key.
> >
> > Note that those methods are only useful so long as the communication
> > partner gets the key from your company (a web page, a company
> > keyserver, or the like), and not from a public keyserver or from the
> > employee.  The reason for this is that keys or signatures can be
> > 'unrevoked' by a malicious 3rd party (who may or may not be the
> > employee).
> 
> The official public key from our company is on our company website.
> 
> Thanks for the hint I forgot to mention.
> 
> So either with revoking the signature or (or better "and") revoking
> the key with the "add revoker"-method, the concept is OK. Right?

The official public key *and* the employee key must be retrieved from
somewhere under your control.  You can get away with using public
keyservers for this, but it's not a guarantee.

David



More information about the Gnupg-users mailing list