* Neal Dudley <[EMAIL PROTECTED]> wrote: > Some points to consider:
Great :-) Thread is getting even more interesting *g* > Regardless of whether or not the company signing key has signed or > revoked it's signature on the user's signing key, it is ultimately up to > the employee to trust or not trust the other employee's key(s). Absolutely. But we have a quite flat thrust network with one central company key and the employees keys that gets signed with the company key. Our communication partners have to check the signature of our employees keys and its up to our partners that they check from time to time wether there was a change in the relationship between our employees and out company key - I guess this is the most difficult part. > This is > one of the beautiful points of PGP/GPG - there is no third party to > dictate who's keys you can trust or not trust. That trust decision is > solely up to the user. > > Please, no one flame me, but it is worth looking at S/MIME and PGP for > this issue. Yes, on a purely technical level, we are talking about the > same cryptographic algorithms. The difference between S/MIME and PGP, > as I understand it, is mainly semantics involving the trust > relationships. In S/MIME, a third party dictates to you what is to be > trusted or untrusted. In contrast, under PGP the user defines what is > to be trusted or not. Right. But we do not want to use S/MIME for several reasons and our communication partners already are using OpenPGP-messages. So this decision is already done by facts not by arguing. Although I share your point of view. > I'm very interested in this thread, as I'm not clear as to how you could > create policies (at least ones that can be enforced) to control trust > relationships in a company. This seems to be more a question of office > politics than secure email technology. Absolutely. I (as the person responsible for company security) have to check every key that I am signing with the company key. I have to explain the important issues of key management to my employees (non-it people for most of the part). I do this by giving exact instructions with screenshots of every step - WinPT is helping here because it is mouse-oriented :-) So I have to check the proper security in the system - which is this thread-part here - and I have to make sure, that every party understands the system which I do with exact instructions for my employees and for instructions for our partners. I know that there might be some pitfalls concerning employees that sign everything or make other mistakes that can have an influence on our web-of-trust. But the alternative is worse: plain text - oh sorry ... HTML-Emails without encrypting or signing at all. And this has to be considered as the default method in companies these days :-( > In a small company, this could > certainly be handled. Mention the issue at the regular staff meetings, > and it remains the user's responsibility to revoke trust in that > keypair. Well I will see how this turns out. Most of my employees dont want to learn anything at all that is not 100% part of their work. And cryptography is surely not 100% part of their work. Social problem. So this also would imply usage of S/MIME. > By the same token - good luck to you in implementing this if > you are referring to a larger company. 100-250 emplyees will be the target. But not all of them need GPG. > If you create scripts or > otherwise to force employees to check their keyring against some central > corporate keyserver, please share. Sure. But I guess that scripts is not user-friendly enough for my employees :-( > I hope your users are savvy enough > to understand what they are doing. Hehe. > If that is the case, so much the > better for you, lucky dog! Well, good night for tonight ... says the unlucky dog ;-) -- Karl Voit _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
