-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Fri, Dec 23, 2005 at 09:32:28PM +0100, [EMAIL PROTECTED] wrote: > > I would rank the initial setup effort as 2, 1, 3, 4. > To followup on myself...
All your users will have to import your root certificate to stop SW from complaining about unknown root cert (but they'd have to do that with you GPG root cert anyway) AFAIR, Verisign (and possibly other CAs) offer "hosted PKI", or "managed PKI" (these two are NOT equivalent), but I have no clue about the price. If you really have strict security requirements, you might go down that route. Look at e.g. http://www.wisekey.com/pages/pki_managed.htm (the difference between hosted and managed is that in hosted you have your own, dedicated servers..) They are charging by the number of "seats" in use. Final words from me: running a PKI for a large organization is a COMPLEX business. Don't make an immediate decision but create several toy CAs in different ways (both X.509 and OpenPGP), and try to: - - issue certificate to several users (multiple certs for the SAME user, on different email addresses) - - revoke one particular certificate (e.g. one tied to particular email) - - play with CRL checking - - actually USE those certs on all platforms in question to see how much of a hassle it will be to less technical users And one important question: how are you going to disambiguate users with identical names (e.g. are you going to require a unique email address?). What about shared email addresses? etc... and do MUCH reading while doing this. IMO, what you're trying to do requires serious preparation.. you should play with all of the above possibilities and READ during that time for at least a month before making ANY kind of decision. once you give your users PKI, they'll start coming up with the strangest ideas.. many of them you will flat-out reject, but some of them will be legitimate requests and can catch you unprepared.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDrGWfFtofFpCIfhMRA77GAJ9K8dI+VNsMhtg6vye1gDpzf4bqsACePWDP Z4OTmrlcit0lNNFXUToD0Ww= =XiqQ -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
