Enterprise Key Management?

Werner Koch wk at gnupg.org
Mon Mar 18 10:14:08 CET 2013

On Sat, 16 Mar 2013 12:36, abel at guardianproject.info said:

> This seems like a better application of S/MIME as it, by design, is
> centralized in the manner you describe.

Hwever, with S/MIME you can _only_ do a centralized key management.
OpenPGP allows to implement an arbitrary key management policy.

The OP mentioned signing subkeys.  This could for example be used to
allow several employees to sign data using the same key and the
recipient will notice a valid signature with a published fingerprint
from the company.  A closer inspection would reveal which subkey has
been used for signing and this can be used for internal audit processes
(similar to the QA labels with an employer number on all kind of
products).  Revocation of a certain subkey would also be pretty easy.  I
assume this would easily scale to new dozen subkeys.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list