[SLUG] GPG key signing party

Matthew Toseland toad at amphibian.dyndns.org
Sat Mar 15 15:38:49 GMT 2008 

You can have a corporate PKI. You'd create a certificate authority, and use 
that to sign each employee's public key. Individual employees could either 
generate their own keys (which has the advantage/disadvantage that they can 
choose their own passphrase!), or you could generate them for them, but 
preferably do that on their workstation. Then export their pubkey, save it on 
the USB stick (named by their email address), and sign them all. Then upload 
them and the signatures to the public servers, and anyone in the world can 
securely send a mail to them.

On Friday 14 March 2008 17:51, Al Girling wrote:
> On Fri, Mar 14, 2008 at 04:09:13PM GMT, Stephen O'Neill wrote:
> > David Knight wrote:
> 
> --%<-- 
> 
> > >The next question is do 
> > >I need to generate a certificate for every member of the company? 
> > 
> > 
> > Erm, yeah - you do really. I guess you could have a single corporate key 
> > that everyone uses, but I don't think that's a good idea as the private 
> > key would be getting spread around and lots of people would know the 
> > passphrase etc ... I'm hoping more experienced GnuPG'ers will chip in 
> > here :)
> 
> I have no knowledge of corporate scale GnuPG use either, but the idea
> behind this is to ensure the identity of individuals.  It is possible to
> create a key for an organisation that has a split passphrase( in the
> manner of business bank account that requires two or more signatories),
> but that's getting even more complicated than necessary for the moment.
> I'll track down a link for it if required though.
> 
> My suggestion would be for all employees to have a USB pen with their
> public/private key ring stored on it.  There's a good explanation for
> this within this howto:
> 
> http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
> 
> Doing this means the key pair stays with the individual rather than the
> work station.  You said earlier that the mail system uses IMAP so even
> encrypted mails are available from a central server, but only the
> intended recipient can gain access.
> 
> I take it these are Windows machines.  Unless of course you've managed
> to get your company working with Linux work stations.  If so,
> congratulations!  If the former, you'll have to figure out the USB pen
> connection as I've no experience of Windows since W95.
> 
> > >How do I share these certificates. Surely emailing them out will
> > >invalidate their security?
> 
> You only need someones public key to be able to send them encrypted
> emails/files.  These are generally available on public key servers so
> you'll not compromise security by distributing via email.
> 
> > Stick them on a pen drive, copy them to the target machine(s) I would
> > say...
> 
> If you're talking about the private key then Steve's advice above is
> good.  Of course, using the USB pen as the storage device means you
> simply create each key pair directly onto each employees USB pen and the
> jobs done.
> 
> > I have no idea to be honest how GPG works on a corporate scale. The
> > point seems to be about identifying individuals, the fact that someone
> > belongs to a corporation is kind of accidental. I imagine that people
> > may use different keys for different purposes - e.g. you may have a
> > personal key with all your personal email identities and then another
> > key for work which is 'issued' to you by your employer. You and your
> > employer know the passphrase, your employer has a revocation
> > certificate so that when you leave the company they can revoke that
> > key to prevent you doing bad things.
> 
> Seems to be sound advice to me.  I'd certainly have work and personal
> keys separate from each other.
> 
> I'll poke around and see what I can come up with over the weekend about
> this.
> 
> Toodle pip,
> 
> Al
> 
> Oh yeah!  I've updated the GnuPG howto to include adding extra UIDs
> (email addresses) today.
> 
> -- 
> Al Girling
> 
> Linux User: #290080             <http://counter.li.org>
> Home-page:                      <http://al.sdf-eu.org>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/scarborough/attachments/20080315/d56c712e/attachment.bin

More information about the Scarborough mailing list