David Shaw schrieb: >> Looks like this is ADK. Is there any way to do this on gpg? >> > Yes. Put "encrypt-to (the-adk-key)" in everyone's gpg.conf. I thought that ADKs would work whenever encrypting to a key with that feature enabled (i.e. also for incoming emails)? I.e. it is per-key and not a per-user setting? Of course, for outgoing mail you'd still need the additional encrypt-to (unless you regularly encrypt to your own key which would have the ADK).
Furthermore, PGP has this fascinating key-splitting options that allow you to distribute shares of a secret key to a group and define how many shares would be necessary to conduct secret-key operations. There, you would actually have "the math" ensuring that the boss can read the email. This would allow advances schemes like: "Either the original owner alone or the boss in cooperation with the company's notary public can decrypt mail." Or, leaving ADK-related use-cases aside, "3 of 5 board members are required to approve an order by digitally signing it." It seems that GnuPG has no capability to ensure decrypt-ability for incoming encrypted data, apart from outright key-escrow. It has been a while since I was last using the commercial PGPs, and I could remember falsely. So, feel free to correct me if I'm wrong (in particular, I have no idea whether these features are still present in recent (freeware) versions). cu, Sven _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
