-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 02-05-2014 18:18, Daniel Kahn Gillmor escribió: > On 05/02/2014 06:03 PM, Faramir wrote: >> El 28-04-2014 14:35, Daniel Kahn Gillmor escribió: ... >>> But I also want to point out that some employers may have a >>> legitimate need (even a legal compulsion) to be able to >>> decrypt communications coming to your work-related e-mail. One >>> reasonable solution to this is to provide them an escrowed copy >>> of your ...
>> What about to adding the boss key to the keys the message is >> encrypted to? > > You're saying instead of doing escrow of encryption keys? Yes, but now I realize it would only solve the problem of accessing files encrypted by you (and just because I always add my own key to the encryption recipients, it doesn't mean other people even want to be able to decrypt messages sent by them). > The only problem with that approach is that you have no control > over the people who are encrypting messages and sending them to > you. So you're bound to get some messages that the Boss wouldn't > be able to decrypt later. Yes, you are right... then, a new keypair for work related stuff, and handing over the encryption subkey. And maybe a big disclaimer saying "if you send personal stuff to me, send it to my personal email, encrypted to my personal key". Maybe it would be nice to be able to bind specific encryption keys to specific UIDs, but the simplest thing is to keep things apart. ... > I'm not saying that all employers *should* do escrow of all their > employees' encrpytion-capable keys. In fact, i think the majority > of employer/employee relationships should probably never require > any kind of key escrow. But there are some relationships where key > escrow makes sense, and i wanted to clarify that it *only* makes > sense for encryption-capable keys, not personal signing or > authentication keys. I agree. A few weeks ago I started working for a company that makes websites (usually, wordpress or joomla), and the passwords to access the sites obviously belong to the company. For now the solution was to say "the login details are in an excel file in my desktop, in case you need them". Of course I keep a copy with me in case the desktop dies or is stolen. A work mate left the login details of the site he was working on, written in a piece of paper on his desk (I hope he finishes it before somebody discards the paper while cleaning). And yes, I'm very uncomfortable with that, I'd rather have some way to have a thief proof passwords repository, but so far I don't know how to do it, and I'd also have to convince my boss and work mates to use it. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJTZC09AAoJEMV4f6PvczxA7KEIAJVVeJkDMPIp7rgJ+adAvEen lBSc8S9wth7EHPyWRpcPzowlNoAZ5umkJviArBGpQe639kBgL+CJgtmMOFxLYzc8 PmJQzqLElmfS5usDt0TyA7WYoY4PlpMAU0uxECCxFrwJC5Qw6CHa+C5zuW8PdJ6J 6LUQ1onCYA7Rm3Mg4IsFrsFfrLeIdZeA8ilCfd2B3ymF6KjFH4m2jvqJDCegfdtK z1Xgh5DhgP9RiQ79to+lS6KOVHm5cn3etkaW3J+r/1Ew2muYqk14bOLUcrQhaWbx 2CJ8Td9kdgCVxVVMjIORoIV9WcLXZmxLw/HF09kbsZLNu1RIOD1LZc7nCMblASk= =zmUw -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
