Modernizing Web-of-trust for Organizations

Lou Wynn lewisurn at
Fri Jan 5 01:42:27 CET 2018

On 01/04/2018 04:31 PM, Lou Wynn wrote:
> I think that I simplified my original description too much. The two
> levels of protection works like this.
> 1. The employee chooses his own password, which is used to encrypt his
> private key.
> 2. Then the encrypted key is encrypted with the guard key.
> When a client plugin passes authentication, the sever decrypts from 2's
> result and sends it to the client.
I'm sorry for missing another step in sending a key to the client. After
the server decrypts the encrypted key material with the guard key, it
uses the public key of the client plugin to encrypt it and sends it to
the client. The client plugin decrypts it first with the plugin key, and
then the user's own password is required to decrypt the private key.

The guard key and the plugin key here are used to defy the
man-in-the-middle in either direction and provide secure channels.


More information about the Gnupg-users mailing list