best practice for handing over the private key

John Clizbe John at enigmail.net
Fri Aug 2 14:24:06 CEST 2013 

Martin T wrote:
> Hi,
> 
> I need to create a public and private key pair for a person
> representing an organization, upload the public key to RIPE(regional
> Internet registry in Europe) public server, create some database
> entries using those public and private keys and finally hand over the
> private key + password protecting the private key to this person. I'm
> aware that handing over the private key is not the best practice, but
> at the moment I don't have an option. Has anyone been in similar
> situation? I thought that I'll ship the private key on a USB memory
> stick in closed envelope, send the password protecting the private key
> over e-mail or SMS, delete the private key from my own machine and ask
> him to change the password protecting the private key. Are there
> better methods? Or ask him to create personal gpg key pair, upload the
> public key to key-server and finally I'll encrypt this private key
> with his personal public key from the key server and send the
> encrypted private key to his e-mail? This method doesn't require
> shipping the USB memory stick. Better ideas?

Usually the phrase "handing over the private key" is used to denote an element
of coercion, as in surrendering the key. Your description sounds, to me, as if
you are only generating a key for the other persons use.

For a project I work with, three of us may sign archives with the project key.
That key was generated and encrypted to each of the other two persons public
keys and then emailed to them.

Your correspondent doesn't need to upload his key to the keyservers to get it
to you. He could send you his public key, encrypted to your public key, in an
email.

-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 520 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130802/36600db2/attachment.sig>

More information about the Gnupg-users mailing list