Hi Ingo-- This is a well-thought-out response, but there are some nagging, nit-picky details that i'm not sure are what you meant:
On 07/27/2009 06:33 AM, Ingo Krabbe wrote: > 3. GnuPG is a distributed system in contrast to SSL Ciphers, that are > assymmetric as well but need a centralized keyserver to prove the validity of > the key. I think you mean to contrast OpenPGP certificates with X.509 certificates here, not GnuPG with SSL. It is possible to use OpenPGP certificates with recent versions of TLS under some implementations: http://tools.ietf.org/html/rfc5081 > For example the problem is: If you create the keys for your users, you will > have > to transfer them to the users, which makes a bit of unsureness of who listens > on > the transfer lines. If the OP works in a traditional office, then transferring the keys to the users via a pendrive (or other variation of sneakernet) is a pretty reasonable way to avoid this concern > And: You can only encrypt the files for one key. So only one user will have > access to the files (owns the files), as long as you don't share the keys. > For > example you can introduce company wide keys or deparmtement keys and > distribute > them to anyone, who should have access. You actually can encrypt files to more than one OpenPGP key, so that anyone holding any of the recipient keys can decrypt the data. Maybe this approach would be useful for the OP? If, as IT administrator, you have the opportunity to configure your users' ~/.gnupg/gpg.conf, you could add a line like recipient 0xDEADBEEFDEADBEEF to specify that all encryptions will automatically be encrypted to a key that you retain for the kind of emergency recovery scenarios you describe. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
