[SLUG] GPG key signing party

Matthew Toseland toad at amphibian.dyndns.org
Sat Mar 15 15:42:00 GMT 2008 

On Saturday 15 March 2008 15:38, Matthew Toseland wrote:
> You can have a corporate PKI. You'd create a certificate authority, and use 
> that to sign each employee's public key. Individual employees could either 
> generate their own keys (which has the advantage/disadvantage that they can 
> choose their own passphrase!), or you could generate them for them, but 
> preferably do that on their workstation. Then export their pubkey, save it 
on 
> the USB stick (named by their email address), and sign them all. Then upload 
> them and the signatures to the public servers, and anyone in the world can 
> securely send a mail to them.

Sorry, I'm thinking X.509. In GPG terms, there is no such thing as 
a "certificate authority". What you do is sign their keys with your key 
(which might itself be shared/hosted on company hardware so it can be passed 
on when you leave), then anyone who trusts your key has a path to each 
employee. You'd also want each employee's key to sign your key, since they 
trust you to vouch for other employees.
> 
> On Friday 14 March 2008 17:51, Al Girling wrote:
> > On Fri, Mar 14, 2008 at 04:09:13PM GMT, Stephen O'Neill wrote:
> > > David Knight wrote:
> > 
> > --%<-- 
> > 
> > > >The next question is do 
> > > >I need to generate a certificate for every member of the company? 
> > > 
> > > 
> > > Erm, yeah - you do really. I guess you could have a single corporate key 
> > > that everyone uses, but I don't think that's a good idea as the private 
> > > key would be getting spread around and lots of people would know the 
> > > passphrase etc ... I'm hoping more experienced GnuPG'ers will chip in 
> > > here :)
> > 
> > I have no knowledge of corporate scale GnuPG use either, but the idea
> > behind this is to ensure the identity of individuals.  It is possible to
> > create a key for an organisation that has a split passphrase( in the
> > manner of business bank account that requires two or more signatories),
> > but that's getting even more complicated than necessary for the moment.
> > I'll track down a link for it if required though.
> > 
> > My suggestion would be for all employees to have a USB pen with their
> > public/private key ring stored on it.  There's a good explanation for
> > this within this howto:
> > 
> > 
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
> > 
> > Doing this means the key pair stays with the individual rather than the
> > work station.  You said earlier that the mail system uses IMAP so even
> > encrypted mails are available from a central server, but only the
> > intended recipient can gain access.
> > 
> > I take it these are Windows machines.  Unless of course you've managed
> > to get your company working with Linux work stations.  If so,
> > congratulations!  If the former, you'll have to figure out the USB pen
> > connection as I've no experience of Windows since W95.
> > 
> > > >How do I share these certificates. Surely emailing them out will
> > > >invalidate their security?
> > 
> > You only need someones public key to be able to send them encrypted
> > emails/files.  These are generally available on public key servers so
> > you'll not compromise security by distributing via email.
> > 
> > > Stick them on a pen drive, copy them to the target machine(s) I would
> > > say...
> > 
> > If you're talking about the private key then Steve's advice above is
> > good.  Of course, using the USB pen as the storage device means you
> > simply create each key pair directly onto each employees USB pen and the
> > jobs done.
> > 
> > > I have no idea to be honest how GPG works on a corporate scale. The
> > > point seems to be about identifying individuals, the fact that someone
> > > belongs to a corporation is kind of accidental. I imagine that people
> > > may use different keys for different purposes - e.g. you may have a
> > > personal key with all your personal email identities and then another
> > > key for work which is 'issued' to you by your employer. You and your
> > > employer know the passphrase, your employer has a revocation
> > > certificate so that when you leave the company they can revoke that
> > > key to prevent you doing bad things.
> > 
> > Seems to be sound advice to me.  I'd certainly have work and personal
> > keys separate from each other.
> > 
> > I'll poke around and see what I can come up with over the weekend about
> > this.
> > 
> > Toodle pip,
> > 
> > Al
> > 
> > Oh yeah!  I've updated the GnuPG howto to include adding extra UIDs
> > (email addresses) today.
> > 
> > -- 
> > Al Girling
> > 
> > Linux User: #290080             <http://counter.li.org>
> > Home-page:                      <http://al.sdf-eu.org>
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/scarborough/attachments/20080315/c4cb4e0c/attachment.bin

More information about the Scarborough mailing list