Modernizing Web-of-trust for Organizations

Kristian Fiskerstrand kristian.fiskerstrand at
Thu Jan 4 12:02:35 CET 2018

On 01/04/2018 02:34 AM, Lou Wynn wrote:
> No, there is no business unit level certifying key. An enterprise only
> has one root key, which is the ultimate certificate authority for its
> own employees and business partners.

I normally recommend separating those, as the value for external parties
that might want to trust this CA for certifying employees but not other
third parties.

As for access to private key material, I normally recommend that the end
user never has access to any secret key material, but only access to
using subkeys (never the primary) using smartcard tokens.

Wrt your other discussion of ssh based scheme, an alternative for escrow
is actually using gnupg 2.1's gpg-agent through SSH socket forwarding so
key material never is available locally, a system could theoretically be
set up in a restricted setup so user doesn't actually get access to the
key material (but it would require some setup to ensure they don't have
it, so smartcard is generally easier)

Kristian Fiskerstrand
Twitter: @krifisk
Public OpenPGP keyblock at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Carpe noctem
Seize the night

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list