Date: Wed, 15 Jun 2005 22:10:22 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Tony Shadwick <tshadwick@goinet.com> Cc: freebsd-questions@freebsd.org Subject: Re: GnuPG in the enterprise Message-ID: <20050616031022.GA14991@dan.emsphone.com> In-Reply-To: <20050615180436.Q30082@mail.goinet.com> References: <20050615180436.Q30082@mail.goinet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jun 15), Tony Shadwick said: > Are there any good documents out there on managing GnuPG in the > enterprise? > > There are basic issues I need to be able to address, such as a > situation when an employee leaves a company. The admin needs to have > the rights to revoke that user's public key, and be able decrypt any > old messages to that user, and be able to decrypt messages sent to > that user that are now being redirected to someone else for handling. > > Are there established mechanisms for handling centralized key > management in a company to where the Administrator has access to > everything required? One solution is to make a copy of all keys (with known passphrases) when they are created, and put the copy in a secure location. If an employee leaves suddenly, you can retrieve the key to decrypt leftover files and revoke the key. Pgp.com's Windows PGP software uses special Revoker keys and Additional Decryption keys that get added when files are signed, so files are always encrypted to multiple recipients and keys are always revokable even if the original key no longer exists. gpg doesn't recognize ADKs, though. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050616031022.GA14991>