IT Department having the secure key.

Ingo Krabbe ingo.krabbe at eoa.de
Mon Jul 27 15:41:38 CEST 2009 

On Mon, Jul 27, 2009 at 08:29:10AM -0400, Daniel Kahn Gillmor wrote:
> Hi Ingo--
> 
> This is a well-thought-out response, but there are some nagging,
> nit-picky details that i'm not sure are what you meant:
> 
> On 07/27/2009 06:33 AM, Ingo Krabbe wrote:
> > 3. GnuPG is a distributed system in contrast to SSL Ciphers, that are
> > assymmetric as well but need a centralized keyserver to prove the validity of
> > the key.
> 
> I think you mean to contrast OpenPGP certificates with X.509
> certificates here, not GnuPG with SSL.  It is possible to use OpenPGP
> certificates with recent versions of TLS under some implementations:
> 
>  http://tools.ietf.org/html/rfc5081

Yes, true, I didn't remeber that X.509 early in the morning.

> 
> > For example the problem is: If you create the keys for your users, you will have
> > to transfer them to the users, which makes a bit of unsureness of who listens on
> > the transfer lines.
> 
> If the OP works in a traditional office, then transferring the keys to
> the users via a pendrive (or other variation of sneakernet) is a pretty
> reasonable way to avoid this concern

True also, I just wanted to mention that transferring keys is something to be
though about.

> 
> > And: You can only encrypt the files for one key.  So only one user will have
> > access to the files (owns the files), as long as you don't share the keys.  For
> > example you can introduce company wide keys or deparmtement keys and distribute
> > them to anyone, who should have access.
> 
> You actually can encrypt files to more than one OpenPGP key, so that
> anyone holding any of the recipient keys can decrypt the data.  Maybe
> this approach would be useful for the OP?

As far as I know you can keep multiple different encrypted copies of a file, but
one copy of the file will only have one encryption.  Assumed that you don't want
to waste space.  I just see that you can encrypt for multiple keys, but you will
increase the space needed for the file copy, don't you?

I mean if you encrypt a file f.txt to f.txt.gpg with 10 recipients, you will
have a f.txt.gpg that contains f.txt 10 times encrypted in 10 different ways.
Maybe I'm wrong about this point, but I can't think about an encryption strategy
with mixed recipients.

bye, ingo

More information about the Gnupg-users mailing list