How to establish a company web-of-trust
devnull at Karl-Voit.at
Tue Mar 18 08:50:55 CET 2008
* Neal Dudley <neal.dudley at utoledo.edu> wrote:
> Karl Voit wrote:
>> Our communication partners have to check the signature of our
>> employees keys and its up to our partners that they check from time
>> to time wether there was a change in the relationship between our
>> employees and out company key - I guess this is the most difficult
> NO - education on using GPG will be the hardest part.
I was afraid of this sentence :-)
> If your partners
> understand using GPG, you're more than half way there.
I can not assume on this. I am in the automotive business and most
of the employees here was studying Mechanical Engineering. So
IT-knowldedge is not their primary goal and most of them do not want
to learn IT although I try my best to enlight something ... :-)
> Given that
> knowledge changes things a bit. Why not generate all the keys *for*
> your employees - AND immediately generate revocation certificates. If
> someone leaves, simply send the revocation certificate to those that
> conversed with that employee (and submit it to your keyserver).
I thought of that too.
I have to admit, that I do not want to generate the keys by myself
because I am lazy and we do have four bureau buildings that make
physical meetings more difficult and sending keys over the Exchange
server is not quite ... good :-)
So I tried to generate a system where I can get the keys from the
keyservers and check them (correct key-id, added revoker, ...)
>> But we do not want to use S/MIME for several reasons and our
>> communication partners already are using OpenPGP-messages. So this
>> decision is already done by facts not by arguing. Although I share
>> your point of view.
> If I wasn't a proponent of GPG, would I be on this list? ;)
> I'm impressed with the maturity of this mailing list. Most lists would
> have exploded into a religious war. Really says something of the
> caliber of the people on this list.
Sorry, this is my first thread on this list :-)
But usually flaming stops after some years working in the
real-world-IT-business. I am even working on Windows the whole day
(in the company)! =:-| (made an attempt for a flamewar? *ggg*)
>> Absolutely. I (as the person responsible for company security) have
>> to check every key that I am signing with the company key. I have to
>> explain the important issues of key management to my employees
>> (non-it people for most of the part). I do this by giving exact
>> instructions with screenshots of every step - WinPT is helping here
>> because it is mouse-oriented :-)
>> I know that there might be some pitfalls concerning employees that
>> sign everything or make other mistakes that can have an influence on
>> our web-of-trust. But the alternative is worse: plain text - oh
>> sorry ... HTML-Emails without encrypting or signing at all. And this
>> has to be considered as the default method in companies these days
> There are some options here. You could use the expert mode in GPG when
> generating their signing keys to remove the ability to certify with the
> signing keys to restrict users a bit more. Then they could sign
> documents, but not keys (if I understand that correctly). Or perhaps
> signing and encryption subkeys would be appropriate? That would
> simplify things - one primary signing key to protect.
Wow, I did not knew that! I'll have a look at these options but I
guess I stick to the revoker-method (also because every day there
are more employees that need to use GnuPG right now and I do have a
stress in making all these decisions).
>> 100-250 emplyees will be the target. But not all of them need GPG.
> Only some of them need GPG? Ought to make your life a little easier. ;)
Make my life *possible*! :-)
>> Sure. But I guess that scripts is not user-friendly enough for my
>> employees :-(
> Depending on what you are using with/for the MUA to implement the
> signing and encryption,
gpg4win: collection of Windows-tools like gnupg, WinPT (key-mgt),
GpGee (Windows-Explorer extension), ...
So I am using WinPT and the corresponding Outlook-plugin.
> you could use rules to simplify this for the users.
I try to do this by giving very detailed instructions with a lot of
screenshots on our local intranet webserver.
More information about the Gnupg-users