Modernizing Web-of-trust for Organizations

Lou Wynn lewisurn at gmail.com
Fri Jan 5 09:41:57 CET 2018


On 01/05/2018 12:18 AM, Kristian Fiskerstrand wrote:
> Businesses have reasonable need to access their data, so they need to
> have access to his private keys, which contradicts "which
> is meant to prevent others from using his private keys", although
> reading it again I presume you're limiting the statement to
> non-authorized personnel in the normal scenario?

This reason is vague and invalid. The purpose of a private key is
two-fold: encryption and message authorization. The only need for an
organization to access their data is decrypting the encrypted data,
which is satisfied by the auditing key. I don't see any valid reason to
damage message authorization. I'd suggest you read Ben McGinnes's post.

If you still insist that there is value in accessing employees' private
key, then I would say that you belong to the type of organizations that
*want* to access employee's private keys although doing so causes more
damages. I described the two categories of organizations when replying
Ben's post.

This is another reason that I want to modernize PGP for organizations
because when people use PGP in such an environment they tend to make
dangerous decisions such as key escrow or encryption gateway to meet
organizational management requirements while compromising message
authorization.

Thanks,
Lou





More information about the Gnupg-users mailing list