* Neal Dudley <[EMAIL PROTECTED]> wrote: > Karl Voit wrote: >> Our communication partners have to check the signature of our >> employees keys and its up to our partners that they check from time >> to time wether there was a change in the relationship between our >> employees and out company key - I guess this is the most difficult >> part. > > NO - education on using GPG will be the hardest part.
I was afraid of this sentence :-) > If your partners > understand using GPG, you're more than half way there. I can not assume on this. I am in the automotive business and most of the employees here was studying Mechanical Engineering. So IT-knowldedge is not their primary goal and most of them do not want to learn IT although I try my best to enlight something ... :-) > Given that > knowledge changes things a bit. Why not generate all the keys *for* > your employees - AND immediately generate revocation certificates. If > someone leaves, simply send the revocation certificate to those that > conversed with that employee (and submit it to your keyserver). I thought of that too. I have to admit, that I do not want to generate the keys by myself because I am lazy and we do have four bureau buildings that make physical meetings more difficult and sending keys over the Exchange server is not quite ... good :-) So I tried to generate a system where I can get the keys from the keyservers and check them (correct key-id, added revoker, ...) before signing. >> But we do not want to use S/MIME for several reasons and our >> communication partners already are using OpenPGP-messages. So this >> decision is already done by facts not by arguing. Although I share >> your point of view. > > If I wasn't a proponent of GPG, would I be on this list? ;) > > I'm impressed with the maturity of this mailing list. Most lists would > have exploded into a religious war. Really says something of the > caliber of the people on this list. Sorry, this is my first thread on this list :-) But usually flaming stops after some years working in the real-world-IT-business. I am even working on Windows the whole day (in the company)! =:-| (made an attempt for a flamewar? *ggg*) >> Absolutely. I (as the person responsible for company security) have >> to check every key that I am signing with the company key. I have to >> explain the important issues of key management to my employees >> (non-it people for most of the part). I do this by giving exact >> instructions with screenshots of every step - WinPT is helping here >> because it is mouse-oriented :-) > ... >> I know that there might be some pitfalls concerning employees that >> sign everything or make other mistakes that can have an influence on >> our web-of-trust. But the alternative is worse: plain text - oh >> sorry ... HTML-Emails without encrypting or signing at all. And this >> has to be considered as the default method in companies these days >> :-( > > There are some options here. You could use the expert mode in GPG when > generating their signing keys to remove the ability to certify with the > signing keys to restrict users a bit more. Then they could sign > documents, but not keys (if I understand that correctly). Or perhaps > signing and encryption subkeys would be appropriate? That would > simplify things - one primary signing key to protect. Wow, I did not knew that! I'll have a look at these options but I guess I stick to the revoker-method (also because every day there are more employees that need to use GnuPG right now and I do have a stress in making all these decisions). >> 100-250 emplyees will be the target. But not all of them need GPG. > > Only some of them need GPG? Ought to make your life a little easier. ;) Make my life *possible*! :-) >> Sure. But I guess that scripts is not user-friendly enough for my >> employees :-( > > Depending on what you are using with/for the MUA to implement the > signing and encryption, gpg4win: collection of Windows-tools like gnupg, WinPT (key-mgt), GpGee (Windows-Explorer extension), ... So I am using WinPT and the corresponding Outlook-plugin. > you could use rules to simplify this for the users. I try to do this by giving very detailed instructions with a lot of screenshots on our local intranet webserver. -- Karl Voit _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
