[SLUG] GPG key signing party
Al Girling
al at gcguk.demon.co.uk
Fri Mar 14 17:50:26 GMT 2008
On Fri, Mar 14, 2008 at 04:09:13PM GMT, Stephen O'Neill wrote:
> David Knight wrote:
--%<--
> >The next question is do
> >I need to generate a certificate for every member of the company?
>
>
> Erm, yeah - you do really. I guess you could have a single corporate key
> that everyone uses, but I don't think that's a good idea as the private
> key would be getting spread around and lots of people would know the
> passphrase etc ... I'm hoping more experienced GnuPG'ers will chip in
> here :)
I have no knowledge of corporate scale GnuPG use either, but the idea
behind this is to ensure the identity of individuals. It is possible to
create a key for an organisation that has a split passphrase( in the
manner of business bank account that requires two or more signatories),
but that's getting even more complicated than necessary for the moment.
I'll track down a link for it if required though.
My suggestion would be for all employees to have a USB pen with their
public/private key ring stored on it. There's a good explanation for
this within this howto:
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
Doing this means the key pair stays with the individual rather than the
work station. You said earlier that the mail system uses IMAP so even
encrypted mails are available from a central server, but only the
intended recipient can gain access.
I take it these are Windows machines. Unless of course you've managed
to get your company working with Linux work stations. If so,
congratulations! If the former, you'll have to figure out the USB pen
connection as I've no experience of Windows since W95.
> >How do I share these certificates. Surely emailing them out will
> >invalidate their security?
You only need someones public key to be able to send them encrypted
emails/files. These are generally available on public key servers so
you'll not compromise security by distributing via email.
> Stick them on a pen drive, copy them to the target machine(s) I would
> say...
If you're talking about the private key then Steve's advice above is
good. Of course, using the USB pen as the storage device means you
simply create each key pair directly onto each employees USB pen and the
jobs done.
> I have no idea to be honest how GPG works on a corporate scale. The
> point seems to be about identifying individuals, the fact that someone
> belongs to a corporation is kind of accidental. I imagine that people
> may use different keys for different purposes - e.g. you may have a
> personal key with all your personal email identities and then another
> key for work which is 'issued' to you by your employer. You and your
> employer know the passphrase, your employer has a revocation
> certificate so that when you leave the company they can revoke that
> key to prevent you doing bad things.
Seems to be sound advice to me. I'd certainly have work and personal
keys separate from each other.
I'll poke around and see what I can come up with over the weekend about
this.
Toodle pip,
Al
Oh yeah! I've updated the GnuPG howto to include adding extra UIDs
(email addresses) today.
--
Al Girling
Linux User: #290080 <http://counter.li.org>
Home-page: <http://al.sdf-eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/scarborough/attachments/20080314/443a9fe9/attachment.bin
More information about the Scarborough
mailing list