On Wed, Jan 03, 2018 at 05:34:30PM -0800, Lou Wynn wrote:
>
> The management of users' private key is a little more complicated. I
> use two levels of protection. One level is at the organization. An
> organization actually has a fourth key, which I call the guard key,
> to encrypt the password
On 01/04/2018 02:57 PM, Kristian Fiskerstrand wrote:
> On 01/04/2018 11:24 PM, Lou Wynn wrote:
> but you add the requirement that all end users sending email to you
> require to validate the auditing key as well (auditing is likely wrong
> word, archiving is more likely relevant). for auditing you
On 01/04/2018 11:14 PM, Lou Wynn wrote:
> Compared to using two CAs, my design introduces two properties to a
> certificate. One is the certificate type, which is "p" for a partner and
> "e" for an employee.
why not make it compatible with rfc4880 directly? your proposal would
require client
On 01/04/2018 02:59 PM, Kristian Fiskerstrand wrote:
> On 01/04/2018 11:14 PM, Lou Wynn wrote:
>> Compared to using two CAs, my design introduces two properties to a
>> certificate. One is the certificate type, which is "p" for a partner and
>> "e" for an employee.
> why not make it compatible
On 01/05/2018 01:04 AM, Lou Wynn wrote:
> On 01/04/2018 02:57 PM, Kristian Fiskerstrand wrote:
>> On 01/04/2018 11:24 PM, Lou Wynn wrote:
>> but you add the requirement that all end users sending email to you
>> require to validate the auditing key as well (auditing is likely wrong
>> word,
On 01/04/2018 04:31 PM, Lou Wynn wrote:
> I think that I simplified my original description too much. The two
> levels of protection works like this.
> 1. The employee chooses his own password, which is used to encrypt his
> private key.
>
> 2. Then the encrypted key is encrypted with the guard
On 01/04/2018 04:06 PM, Kristian Fiskerstrand wrote:
> But in the end it doesn't matter, as the organization anyways has access
> to the private key material of the employee. So a third party "auditing
> key" is irrespective of any access goals.
>
I guess that you've missed somewhere I said in my
On 01/04/2018 11:24 PM, Lou Wynn wrote:
> I guess that you missed the auditing key part. I introduced it to meet
> auditing requirements or scanning of messages without using end user's
> private keys.
but you add the requirement that all end users sending email to you
require to validate the
On 01/04/2018 04:15 PM, Kristian Fiskerstrand wrote:
> On 01/05/2018 01:12 AM, Lou Wynn wrote:
>> I guess that you've missed somewhere I said in my previous posts that
>> the end user chooses his own password to protect his key password, which
>> is meant to prevent others from using his private
On 01/04/2018 01:31 PM, Kristian Fiskerstrand wrote:
> On 01/04/2018 10:21 PM, Lou Wynn wrote:
>> After a client plugin logs in successfully, the server sends the user's
>> encrypted email key to the client.
> Aren't you better off with a gateway solution like PGP Universal /
> Symantec Encryption
On 01/05/2018 01:12 AM, Lou Wynn wrote:
> I guess that you've missed somewhere I said in my previous posts that
> the end user chooses his own password to protect his key password, which
> is meant to prevent others from using his private keys.
At which point I'm wondering about your priorities,
On 01/04/2018 10:58 PM, Lou Wynn wrote:
> It's doable, but I'd like to make sure that I understand what you
> mean by "within corporate infrastructure?" Do you mean the client
> plugin sends requests to the server to decrypt and verify received
> messages?
no, there isn't necessarily a client
On 01/04/2018 02:04 PM, Kristian Fiskerstrand wrote:
>> I don't think it necessary to use business unit level certifying keys in
>> my design. It introduces management overhead which shadows its benefits.
>> If you understand the concept of trust realm/trust group and its
>> verification methods I
On 01/04/2018 01:04 PM, Ben McGinnes wrote:
> On Thu, Jan 04, 2018 at 12:40:59AM +, MFPA wrote:
>> For example, my ISP [0] says "All staff keys are signed using the
>> company signing key. This is very much like a traditional company
>> seal. Only the director has access to this key and it is
On 01/04/2018 10:38 PM, Lou Wynn wrote:
> On 01/04/2018 03:02 AM, Kristian Fiskerstrand wrote:
>> On 01/04/2018 02:34 AM, Lou Wynn wrote:
>>> No, there is no business unit level certifying key. An enterprise only
>>> has one root key, which is the ultimate certificate authority for its
>>> own
On 01/04/2018 02:08 PM, Kristian Fiskerstrand wrote:
> no, there isn't necessarily a client plugin, the gateway decrypts the
> message before it hits the internal email server, so end-user sees
> un-encrypted message, this is protecting transport, but security of
> on-site is ensures through
On 01/04/2018 02:28 PM, Ben McGinnes wrote:
> On Wed, Jan 03, 2018 at 05:34:30PM -0800, Lou Wynn wrote:
>> The management of users' private key is a little more complicated. I
>> use two levels of protection. One level is at the organization. An
>> organization actually has a fourth key, which I
Hi,
note that a search for "Android" in wiki.gnupg.org would have shown you the
Guardian port of GnuPG 2.1 to Android. (I've added additional details now.)
Am Mittwoch 11 Oktober 2017 16:40:42 schrieb Daniel Kahn Gillmor:
> here's the project i was thinking of that was farthest along in terms
On 01/04/2018 12:25 AM, Andrew Gallagher wrote:
>> On 4 Jan 2018, at 04:42, Lou Wynn wrote:
>>
>> It has a client key and uses it to log into the server, which is
>> similar to SSH key authentication, to retrieve the private key after
>> authentication.
> This bit confuses me.
On Thu, Jan 04, 2018 at 12:40:59AM +, MFPA wrote:
>
> For example, my ISP [0] says "All staff keys are signed using the
> company signing key. This is very much like a traditional company
> seal. Only the director has access to this key and it is only used
> for signing other keys. If/when a
On 01/04/2018 10:21 PM, Lou Wynn wrote:
> After a client plugin logs in successfully, the server sends the user's
> encrypted email key to the client.
Aren't you better off with a gateway solution like PGP Universal /
Symantec Encryption Server (or for that matter if GPGRelay is still
alive) ?
> On 4 Jan 2018, at 04:42, Lou Wynn wrote:
>
> It has a client key and uses it to log into the server, which is
> similar to SSH key authentication, to retrieve the private key after
> authentication.
This bit confuses me. If you already store a private key locally, why use
On 03/01/18 23:42, Bagel Alderman via Gnupg-users wrote:
> Can anyone tell me why gpg --card-status isn't creating key stubs (even
> after the original stubs are deleted)?
Could you post commands entered and their result? We can't tell what
goes wrong just by this description.
It has always
Original Message
Subject: Re: Obtaining Key Stubs From Smartcard
Local Time: January 4, 2018 4:27 AM
UTC Time: January 4, 2018 10:27 AM
From: pe...@digitalbrains.com
To: Bagel Alderman , gnupg-users@gnupg.org
>Could you
On 01/04/2018 02:34 AM, Lou Wynn wrote:
> No, there is no business unit level certifying key. An enterprise only
> has one root key, which is the ultimate certificate authority for its
> own employees and business partners.
I normally recommend separating those, as the value for external parties
25 matches
Mail list logo