IT Department having the secure key.
Ingo Krabbe
ingo.krabbe at eoa.de
Mon Jul 27 15:41:38 CEST 2009
On Mon, Jul 27, 2009 at 08:29:10AM -0400, Daniel Kahn Gillmor wrote:
> Hi Ingo--
>
> This is a well-thought-out response, but there are some nagging,
> nit-picky details that i'm not sure are what you meant:
>
> On 07/27/2009 06:33 AM, Ingo Krabbe wrote:
> > 3. GnuPG is a distributed system in contrast to SSL Ciphers, that are
> > assymmetric as well but need a centralized keyserver to prove the validity of
> > the key.
>
> I think you mean to contrast OpenPGP certificates with X.509
> certificates here, not GnuPG with SSL. It is possible to use OpenPGP
> certificates with recent versions of TLS under some implementations:
>
> http://tools.ietf.org/html/rfc5081
Yes, true, I didn't remeber that X.509 early in the morning.
>
> > For example the problem is: If you create the keys for your users, you will have
> > to transfer them to the users, which makes a bit of unsureness of who listens on
> > the transfer lines.
>
> If the OP works in a traditional office, then transferring the keys to
> the users via a pendrive (or other variation of sneakernet) is a pretty
> reasonable way to avoid this concern
True also, I just wanted to mention that transferring keys is something to be
though about.
>
> > And: You can only encrypt the files for one key. So only one user will have
> > access to the files (owns the files), as long as you don't share the keys. For
> > example you can introduce company wide keys or deparmtement keys and distribute
> > them to anyone, who should have access.
>
> You actually can encrypt files to more than one OpenPGP key, so that
> anyone holding any of the recipient keys can decrypt the data. Maybe
> this approach would be useful for the OP?
As far as I know you can keep multiple different encrypted copies of a file, but
one copy of the file will only have one encryption. Assumed that you don't want
to waste space. I just see that you can encrypt for multiple keys, but you will
increase the space needed for the file copy, don't you?
I mean if you encrypt a file f.txt to f.txt.gpg with 10 recipients, you will
have a f.txt.gpg that contains f.txt 10 times encrypted in 10 different ways.
Maybe I'm wrong about this point, but I can't think about an encryption strategy
with mixed recipients.
bye, ingo
More information about the Gnupg-users
mailing list