Managing Subkeys for Professional and Personal UIDs

Robert J. Hansen rjh at
Sat May 3 05:01:05 CEST 2014

> So i mean, sure, i can definitely imagine a company doing it the way you
> describe.  I just don't think it's a good business practice.

Unfortunately, the world doesn't much care what we think of as good
business practices.  And why should they?  We're nerds -- we understand
technology, perhaps, but odds are good few if any of us have ever sat at
the CIO/CTO/CSO level.  On what expertise do we declare it to be "not
good business practice"?

I agree that this is not the sort of business practice I would like to
see, but I'm not willing to go out on the limb with you and to declare
it a bad business practice.

And regardless of whether it's a good practice or a bad one, I've worked
in businesses that have done exactly this -- so it's a real-world
example that demonstrates the occasional need for a third party to
possess signing keys.

More information about the Gnupg-users mailing list