IT Department having the secure key.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jul 27 14:29:10 CEST 2009


Hi Ingo--

This is a well-thought-out response, but there are some nagging,
nit-picky details that i'm not sure are what you meant:

On 07/27/2009 06:33 AM, Ingo Krabbe wrote:
> 3. GnuPG is a distributed system in contrast to SSL Ciphers, that are
> assymmetric as well but need a centralized keyserver to prove the validity of
> the key.

I think you mean to contrast OpenPGP certificates with X.509
certificates here, not GnuPG with SSL.  It is possible to use OpenPGP
certificates with recent versions of TLS under some implementations:

 http://tools.ietf.org/html/rfc5081

> For example the problem is: If you create the keys for your users, you will have
> to transfer them to the users, which makes a bit of unsureness of who listens on
> the transfer lines.

If the OP works in a traditional office, then transferring the keys to
the users via a pendrive (or other variation of sneakernet) is a pretty
reasonable way to avoid this concern

> And: You can only encrypt the files for one key.  So only one user will have
> access to the files (owns the files), as long as you don't share the keys.  For
> example you can introduce company wide keys or deparmtement keys and distribute
> them to anyone, who should have access.

You actually can encrypt files to more than one OpenPGP key, so that
anyone holding any of the recipient keys can decrypt the data.  Maybe
this approach would be useful for the OP?

If, as IT administrator, you have the opportunity to configure your
users' ~/.gnupg/gpg.conf, you could add a line like

  recipient 0xDEADBEEFDEADBEEF

to specify that all encryptions will automatically be encrypted to a key
that you retain for the kind of emergency recovery scenarios you describe.

	--dkg



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090727/6c120d86/attachment.pgp>


More information about the Gnupg-users mailing list