On Mon, Mar 17, 2008 at 05:23:39PM +0100, Karl Voit wrote: > * Karl Voit <[EMAIL PROTECTED]> wrote: > > > > I want to establish secure email communication in our company > > (Windows, Outlook, gpg4win). I do not want to maintain a keyserver > > by myself. > > > > My attempt: every employee generates his own keypair and exports the > > public key to a keyserver. I as the admin downloads his key from the > > server, compares the ID with the employee and signs the key with the > > "central company key". > > > > Any communication partner can check, wether the key of the employee > > was signed by our official "company key" which is downloadable from > > our web site. > > > > So far so good - I think. > > > > But: what if an employee quits the company? Can I revoke the > > signature? WinPT (as a key management frontend) does not seem to > > provide this feature. > > I just found out that WinPT does not provide all options that gpg > (command line version) provides :-( > > So my current attempt is: the employee has to add the company key as > a revoker and then export it to the keyserver. So the company key is > able to revoke any employees key.
Note that those methods are only useful so long as the communication partner gets the key from your company (a web page, a company keyserver, or the like), and not from a public keyserver or from the employee. The reason for this is that keys or signatures can be 'unrevoked' by a malicious 3rd party (who may or may not be the employee). David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
