Modernizing Web-of-trust for Organizations

Lou Wynn lewisurn at gmail.com
Fri Jan 5 01:31:12 CET 2018 

On 01/04/2018 02:28 PM, Ben McGinnes wrote:
> On Wed, Jan 03, 2018 at 05:34:30PM -0800, Lou Wynn wrote:
>> The management of users' private key is a little more complicated. I
>> use two levels of protection. One level is at the organization. An
>> organization actually has a fourth key, which I call the guard key,
>> to encrypt the password of user's private key. This guard key is
>> also managed by the key management system. In addition, a user can
>> choose another her own password to encrypt the key password too.
> That just spreads the potential points of human failure and you run
> the risk that anyone with access to this guard key would be able to
> abuse the position to access an employee's credentials (saying they
> don't have access to the private key doesn't hold any weight on a
> company intranet where they've probably already got root/admin
> access).  So it'd be too easy for some unscrupulous sys admin (you
> might trust you, but what happens when you leave, do you know your
> successor?) has a personal issue with someone in, say, marketing and
> stitches them up with a few choice forged and signed emails.
>
> No, that's a *bad* plan and creates all sorts of horrible legal
> problems for the company or at least has the very real potential to do
> so.

I think that I simplified my original description too much. The two
levels of protection works like this.

1. The employee chooses his own password, which is used to encrypt his
private key.

2. Then the encrypted key is encrypted with the guard key.

When a client plugin passes authentication, the sever decrypts from 2's
result and sends it to the client. This key material is still encrypted
by the employee's own password. The decryption of 1 happens at the
client plugin.

My estimates is that there exist different types of organizations. Some
want to access employee's key, and some don't. So For the former, they
can choose to skip the first level of protection. For the latter, they
can require to use it. An organization can only change from using the
second protection only to using both, but not the other way around.

Thanks,
Lou

More information about the Gnupg-users mailing list