Modernizing Web-of-trust for Organizations

MFPA 2017-r3sgs86x8e-lists-groups at riseup.net
Thu Jan 4 15:10:42 CET 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Thursday 4 January 2018 at 1:34:30 AM, in
<mid:d1782a47-7888-aa88-ab35-a6a8e0e17110 at gmail.com>, Lou Wynn wrote:-


> Your first comment above mentioned no 3rd-party CA is needed for PGP
> users, but the reference still requires users to manage their trust.
> In my opinion, PGP has an unnecessarily complicated trust management
> recommendation: the web of trust, when used in an enterprise
> environment.

It is up to the enterprise how simple or complicated they choose to
make it. Their internal web of trust could be a simple hierarchy.



> My goal is to simplify user-side trust management work
> to zero, and the result is the concept of trust realm and trust
> group.

How complicated is user-side trust management within an enterprise
environment? If their internal web of trust is a simple hierarchy,
each user's software automatically trusts all other employees.

For business partners, the enterprise's certification key would have
to be able to sign the business partner's key as a trusted introducer
but only for staff at their own domain. Perhaps the use of Web Key
Directory [0] is already a simple enough solution.

The organisation's particular threat model may not require the keys of
business partners' staff to be signed at all as long as each contact
consistently uses the same key. In that case, Trust On First Use
(TOFU) [1] may be sufficient.


[0]
<https://www.gnupg.org/blog/20161027-hosting-a-web-key-directory.html>

[1]
<https://www.gnupg.org/blog/20151103-gnupg-in-october.html#sec-1-5>



- --
Best regards

MFPA                  <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>

Never trust a dog with orange eyebrows
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWk415F8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+p3PAQCwGkiAzOTumDV1rSPtSSLI+Ox155txEAiB/KPhNdUiNgEAhJsh8iXOJEB7
4x/9Mr74vObJlmhY8xp4F/G6y1klUA2JApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWk415F8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/+/jEACSWurMNn2RRQdT+mGkhS/VxIeb
noHv3IgBgWUmMN0REwD+wxgH3qg1NIUA3dgNM22pBv/D3CIRyKQ0uWGle6HsdwHP
YGDKWdqrhVbVj37nvGEYiXiEE/Eg6SZWUo7ukzqcnAexQSgb/NBVs/fvX8hwYV4M
7Rmg73vtq2zpVFI8aHwEUVBov+NMLugDDdsPJhBHHnzwcY3PHXo/SKgNo2DVe9EA
fzxh68KyFKhpkOc5Pd9u7XtzaX9E0HBf1Bik9l9UQxq6hnOsewlHs6qFRoJRiKsh
7cWczb/01VsyqfXZSH4eWfxoy1TuRnQjX2hIH/9JVf7A1pJZxE0LLIgDs/NGRIRr
SiLN/TFGrzun9ty7XhPQYjBMbIL3oPGUNEPsTisk0z2qq8HIMCeUT5JmM8fu1B3H
F1asqR3lJVJOWrElkAxuX4ocB7slL9psyJMVWUb8/Fs2nnlOgmMD/KV2gDGVwmPY
VXCJN8t2D8QZf3eUGODy7/jHMpAkz3f2vZw5E/y0vZVcGVoX2QAhMWWKZlg0FsR3
Y4Mi9fIlZGv/zEE/C6icV8g3+1eCKVtNRZW533O/NS9j6Y90gZBRN4qabJELVFNp
IPCPCzRMYbJkPXSnhcF2NfFraXMe7/CVITijdo2R8XmyYud8wuL6RDXwqZz2p8pt
YlQ32ar6pqY7tZhplQ==
=iXSr
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list