Modernizing Web-of-trust for Organizations

Lou Wynn lewisurn at
Tue Feb 27 12:59:40 CET 2018

On 02/18/2018 05:55 PM, Ben McGinnes wrote:
> So you took a system built from the outset on a security model founded
> entirely on public key exchanges between distributed and federated
> (both self-determining and self-governing) nodes ... and then spent a
> considerable amount of time and effort making that system centralised
> in order to meet certain types of common business use cases ...
> ... with a software package which ships with a complete implementation
> of S/MIME as well ...
No, there is no S/MIME implementation because the PKI model it relies on
is inherently precarious for enterprise usage because of using
third-party certificates. Once a 3rd party CA is trusted, all users it
certified becomes trusted while those users have no business
relationship with the enterprise.

> Hmm ...
> Okay, I just have one question:
> *Why?!*
The short answer is that neither S/MIME's PKI or OpenPGP's web-of-trust
is suitable for organizational uses in term of defining trusted people
for the organization. In addition, current clients of both require
considerable efforts at the end-user side to configure and use. For a
longer analysis, here is a white paper:


> Regards,
> Ben

More information about the Gnupg-users mailing list