Hi Alex On 5/17/07, Janusz A. Urbanowicz <[EMAIL PROTECTED]> wrote:
> > Hello everybody, > > > > I am going to try to set up GPG for our small company (about 15 > > people) and would like to ask you guys for some help. Following I will > > write down my thoughts on this, that I had so far. Comments would be > > highly appreciated since I do not want to start this before I don't > > feel confident and have a complete plan. > > First, you should elaborate what is the purpose of the exercise. The > business goal. There is no point of deploying crypto policy in an > organization just for the sake of it, because people will see this as > a unnecessary and pointless exercise. > The main goal is to prevent employees from eavesdropping on each other, since we had cases of stolen information. But even without a motivation like that, I think encrypted email should be set up where possible. There are other flaws in the computer system that would have to be addressed (a secretary has root access to the server to let her start the daily backup process after work), but I'm not in charge of that. I only want to offer my help for a GPG solution, that would help a lot in that enviroment. I might ask some questions related to smartcards soon, that I believe to be a good idea there, if I cannot figure everything out by myself. I am going through the mailing list archives right now. So the goal is to secure email communication between our employees and I think I am able to set this up now. The setup you describe is very similar to what I'm thinking of and thus confirms my ideas. Since I'm going through the trouble of setting everything up and teaching our employees, though, it would be great to also use GPG with business partners. I don't think it's really going to happen, but being ready for it would be a good idea. Especially since we could use GPG to sign emails and maybe raise some interest. In the case of communication with others, I want to use GPG to encrypt and sign messages to proof the identity of the sender. > > To have an internal Web-of-Trust there should be a main key (for the > > company itself) signing the employee's keys and collecting their > > signatures. > > When I did similar things the setup was as follows: > > * there is one well-guarded organization key (org key) > * every person involved has a key signed by the org key > * people keys have designated-revoker set to org key > * all OpenPGP software installation have: > ** mandatory encrypt-to org key > ** ultimate trust for the org key > > If you don't want people to sign keys, issue them encryption-only keypairs. > It would be nice if you could write something about how GPG was used with outsiders in those cases. For example: Do you sign the other company's employee's keys and exchange them or do you only local sign them? In case the other company has an org key, too, do you sign and exchange it or only lsign it? Do you publish the org key to enable others to set a trust level, that allows them to automatically trust the employee's keys signed by it? > But this is quite generic setup and we could help you more if we knew > what you're trying to accomplish. > I didn't tell you much new in this email, I'm afraid, but I really don't know what else to mention. Sorry for that. Thank you very much for your help! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
