Optimal setup for corporate keys

F Rafi farhanible at gmail.com
Mon Jul 20 02:44:44 CEST 2015


The partners will generate their own keys so we can send them files. We're
generating separate pub/priv keys for each partner to receive files from
them. My question was that if we should generate separate pub/priv keys or
generate subkeys under a single signing key. Looks like the consensus is
that we should use entirely separate pub/priv keys.

We will have decryption processes on multiple servers. So if one server
happens to get compromised, I want to avoid the disruption of reaching out
to 40 partners to exchange keys again. We would only reach out to the
affected partners with new keys.

Thanks for the input everyone!
Farhan



On Sun, Jul 19, 2015 at 1:01 PM, flapflap <flapflap at riseup.net> wrote:

> Greg Sabino Mullane:
> >
> >
> >> We exchange sensitive files with multiple corporate partners and would
> like
> >> to set our keys up so that a single private key compromise does not
> require
> >> generating new keys for all partners.
> >
> >> 1) Should we generate separate pub / priv key pairs for all partners?
> >
> > Yes. It's best to keep everyone as separated as possible.
>
> Probably, it is a non-issue in this specific case (you already know the
> files you send to your partners), but in general one (here: your
> partners) should not use secret keys generated by others because they
> are not /secret/ to oneself anymore.
>
> Simply let your partners generate their pub/sec key pairs and then
> exchange them.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150719/52f30006/attachment.html>


More information about the Gnupg-users mailing list