Using gpg in larger scale at a University

Tue Jan 3 02:06:15 CET 2006

The good news is that Werner is very serious about good Windows support
for GnuPG.  He has started the gpg4win project to collect together all
the Windows front ends and plugins under one installer.  The bad news is
that this is a work in progress.

Thomas Widhalm wrote:
> I need a plugin for Outlook which support gpg/MIME and maybe inline gpg. (Not 
> Gdata, this didn't work out)

There is a new Outlook plugin called GPGol that is part of that gpg4win
project.  Werner himself is writing it.  It's loosely based on the old
GData plugin - essentially a rewrite of it.  I don't use Outlook myself
(thank heavens I don't have to), so I can't tell you what the current
state is.  Back in September when he first announced it, it apparently
worked with Outlook 2003, but not Outlook 2000.  You can find it
currently at:
  ftp://ftp.g10code.com/g10code/gpgol/

> I think it would be a good idea to create a CA. How to achieve that? How to 
> keep the key save? Is just one person the CA, or a bunch of people? What if 
> someone leaves us? What if an employee leaves, loses his email address but 
> still has a signature. Should we revoke it?

You are mixing up questions about security policy with questions about
  policy implimentation.  I hope I'm not stepping on any toes here, but
I think I should suggest that this isn't the place to look for advice on
security policy.  You might get good advice - but then again, you might
get the most dangerous type of advice there is: advice that sounds
logical, that seems to make sense, from someone who is generally
technically competant, but that has a nonobvious flaw in it that will
come back to haunt you.  I'll tell you right now, I'm one of those
people.  I'm a project manager, a good programmer, I use GnuPG and have
written software for it, but I'm not a security consultant.

There are ISO standards for this sort of thing - standards that specify
what a computer that holds a certificate authority's keys can and can't
be hooked to, who can hold the passphrases and tokens, key length, and
so forth.  If you really are serious and want to have a good security
policy, you should talk to someone who knows these standards.

> Is it possible/useful to create an own keyserver which synchronises with the 
> official ones? How to do that?

Yes, this is possible.  I can't tell you if it would be useful as that
is based on your security policy and users' requirements.  If the group
of people who will be using the server need keys for people who don't
use your server (people in the general OpenPGP community), then it would
be useful.

My understanding is that not all keyservers synchronize together - there
are groups that synchronize with each other, but are otherwise self
contained.  You would have to contact the maintainers of any particular
group in order to find out what their requirements are for joining.
Probably the easiest way to find this out is to email the contact person
for a particular server that you know is in the group you want to join.

Hope this helps.

	Kurt.