Enterprise Key Management?
Nicholas Cole
nicholas.cole at gmail.com
Mon Mar 18 11:24:32 CET 2013
On Mon, Mar 18, 2013 at 9:14 AM, Werner Koch <wk at gnupg.org> wrote:
> On Sat, 16 Mar 2013 12:36, abel at guardianproject.info said:
>
> > This seems like a better application of S/MIME as it, by design, is
> > centralized in the manner you describe.
>
> Hwever, with S/MIME you can _only_ do a centralized key management.
> OpenPGP allows to implement an arbitrary key management policy.
>
> The OP mentioned signing subkeys. This could for example be used to
> allow several employees to sign data using the same key and the
> recipient will notice a valid signature with a published fingerprint
> from the company. A closer inspection would reveal which subkey has
> been used for signing and this can be used for internal audit processes
> (similar to the QA labels with an employer number on all kind of
> products). Revocation of a certain subkey would also be pretty easy. I
> assume this would easily scale to new dozen subkeys.
>
It's clever. Given careful management / dissemination it would allow a
group to share an encryption key but have separate signing key. I don't
know if any software exists that operates in this way.
I do wonder if what the poster really meant, however, is not "subkeys" per
se but Trust-Signature certified keys.
I guess what is needed for most enterprise use is a system where the
company generates employee's keys and keeps a copy of them.
N.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130318/2d2b4559/attachment.html>
More information about the Gnupg-users
mailing list