Suggestion: Coporate keyrings.

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Mon May 13 11:03:02 2002


--=-BEYhsnNh+7x+IwsBpdIZ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2002-05-13 at 10:38, Brenno J.S.A.A.F. de Winter wrote:
> > Why not have a corporate key. The admin signs the keys he has verified,
> > the user trusts this corporate key signing key, and so automatically he
> > trusts all keys in the corporation.

> Nope my idea went a little bit further. Also non-corporate users could be
> verified (for instance: support@our-partner.companyxxx.com). Beside that

The meaning of a signature by this corporate key would have to be
defined. If all keys that are to be trusted by members of ACME, Inc. are
signed by the ACME corporate key, then you can do exactly that.
Signature by ACME corporate key =3D=3D 'this key was verified by our
security admin'

> having a corporate key has some practical problems like passphrases and s=
o.

A trusted keyring needs to have an administrator, too, and so would be
protected by some mechanism that could be equally tricky. I'd argue that
you could protect a single signing key better than a trusted keyring
database.

To conclude: I still don't see what you can do with a trusted keyring
that you can't do with a trusted key and signatures.

cheers
-- vbi


--=20
I sign e-mail using OpenPGP (rfc2440) compliant software.


--=-BEYhsnNh+7x+IwsBpdIZ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQA834Ghwj49sl5Lcx8RAinzAJ94jGc4yNhOdrXkmvSUppsjiZyeqQCdHKOs
4DDl4urBtJ03gb/THsWqYDY=
=xyNm
-----END PGP SIGNATURE-----

--=-BEYhsnNh+7x+IwsBpdIZ--