Enterprise Key Management?

Nicholas Cole nicholas.cole at gmail.com
Mon Mar 18 11:24:32 CET 2013

On Mon, Mar 18, 2013 at 9:14 AM, Werner Koch <wk at gnupg.org> wrote:

> On Sat, 16 Mar 2013 12:36, abel at guardianproject.info said:
> > This seems like a better application of S/MIME as it, by design, is
> > centralized in the manner you describe.
> Hwever, with S/MIME you can _only_ do a centralized key management.
> OpenPGP allows to implement an arbitrary key management policy.
> The OP mentioned signing subkeys.  This could for example be used to
> allow several employees to sign data using the same key and the
> recipient will notice a valid signature with a published fingerprint
> from the company.  A closer inspection would reveal which subkey has
> been used for signing and this can be used for internal audit processes
> (similar to the QA labels with an employer number on all kind of
> products).  Revocation of a certain subkey would also be pretty easy.  I
> assume this would easily scale to new dozen subkeys.

It's clever.  Given careful management / dissemination it would allow a
group to share an encryption key but have separate signing key.  I don't
know if any software exists that operates in this way.

I do wonder if what the poster really meant, however, is not "subkeys" per
se but Trust-Signature certified keys.

I guess what is needed for most enterprise use is a system where the
company generates employee's keys and keeps a copy of them.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130318/2d2b4559/attachment.html>

More information about the Gnupg-users mailing list