Modernizing Web-of-trust for Organizations

Kristian Fiskerstrand kristian.fiskerstrand at
Thu Jan 4 23:04:49 CET 2018

On 01/04/2018 10:38 PM, Lou Wynn wrote:
> On 01/04/2018 03:02 AM, Kristian Fiskerstrand wrote:
>> On 01/04/2018 02:34 AM, Lou Wynn wrote:
>>> No, there is no business unit level certifying key. An enterprise only
>>> has one root key, which is the ultimate certificate authority for its
>>> own employees and business partners.
>> I normally recommend separating those, as the value for external parties
>> that might want to trust this CA for certifying employees but not other
>> third parties.
> I don't think it necessary to use business unit level certifying keys in
> my design. It introduces management overhead which shadows its benefits.
> If you understand the concept of trust realm/trust group and its
> verification methods I described before, then there is no need for a key
> hierarchy at all. Can you describe a use case that demands the use of
> unit level certifying key? I'll try to explain how to implement it with
> trust realm and groups.

I didn't necessarily say businsess unit level CA, but separation between
employee and business partner CAs.

>> As for access to private key material, I normally recommend that the end
>> user never has access to any secret key material, but only access to
>> using subkeys (never the primary) using smartcard tokens.
> I completely agree, and indeed in my system, an end user never needs to
> directly access his secret key. Actually, he does not need to access his
> public key either. This is what I mean by zero configuration on client
> side, both for trust management and key management.
> Thanks,
> Lou

Kristian Fiskerstrand
Twitter: @krifisk
Public OpenPGP keyblock at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Carpe noctem
Seize the night

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list