How to establish a company web-of-trust

[Karl Voit]

* Neal Dudley <neal.dudley at utoledo.edu> wrote:
> Some points to consider:

Great :-) Thread is getting even more interesting *g*

> Regardless of whether or not the company signing key has signed or
> revoked it's signature on the user's signing key, it is ultimately up to
> the employee to trust or not trust the other employee's key(s).  

Absolutely.

But we have a quite flat thrust network with one central company key
and the employees keys that gets signed with the company key.

Our communication partners have to check the signature of our
employees keys and its up to our partners that they check from time
to time wether there was a change in the relationship between our
employees and out company key - I guess this is the most difficult
part.

> This is
> one of the beautiful points of PGP/GPG - there is no third party to
> dictate who's keys you can trust or not trust.  That trust decision is
> solely up to the user.
>
> Please, no one flame me, but it is worth looking at S/MIME and PGP for
> this issue. Yes, on a purely technical level, we are talking about the
> same cryptographic algorithms.  The difference between S/MIME and PGP,
> as I understand it, is mainly semantics involving the trust
> relationships.  In S/MIME, a third party dictates to you what is to be
> trusted or untrusted.  In contrast, under PGP the user defines what is
> to be trusted or not.

Right.

But we do not want to use S/MIME for several reasons and our
communication partners already are using OpenPGP-messages. So this
decision is already done by facts not by arguing. Although I share
your point of view.

> I'm very interested in this thread, as I'm not clear as to how you could
> create policies (at least ones that can be enforced) to control trust
> relationships in a company.  This seems to be more a question of office
> politics than secure email technology.  

Absolutely. I (as the person responsible for company security) have
to check every key that I am signing with the company key. I have to
explain the important issues of key management to my employees
(non-it people for most of the part). I do this by giving exact
instructions with screenshots of every step - WinPT is helping here
because it is mouse-oriented :-)

So I have to check the proper security in the system - which is this
thread-part here - and I have to make sure, that every party
understands the system which I do with exact instructions for my
employees and for instructions for our partners.

I know that there might be some pitfalls concerning employees that
sign everything or make other mistakes that can have an influence on
our web-of-trust. But the alternative is worse: plain text - oh
sorry ... HTML-Emails without encrypting or signing at all. And this
has to be considered as the default method in companies these days
:-(

> In a small company, this could
> certainly be handled.  Mention the issue at the regular staff meetings,
> and it remains the user's responsibility to revoke trust in that
> keypair.  

Well I will see how this turns out. Most of my employees dont want
to learn anything at all that is not 100% part of their work. And
cryptography is surely not 100% part of their work. Social problem.
So this also would imply usage of S/MIME.

> By the same token - good luck to you in implementing this if
> you are referring to a larger company.  

100-250 emplyees will be the target. But not all of them need GPG.

> If you create scripts or
> otherwise to force employees to check their keyring against some central
> corporate keyserver, please share.  

Sure. But I guess that scripts is not user-friendly enough for my
employees :-(

> I hope your users are savvy enough
> to understand what they are doing.  

Hehe.

> If that is the case, so much the
> better for you, lucky dog!

Well, good night for tonight ... says the unlucky dog ;-)

-- 
Karl Voit