Re: Modernizing Web-of-trust for Organizations

On Wed, Jan 03, 2018 at 05:34:30PM -0800, Lou Wynn wrote: > > The management of users' private key is a little more complicated. I > use two levels of protection. One level is at the organization. An > organization actually has a fourth key, which I call the guard key, > to encrypt the password

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 02:57 PM, Kristian Fiskerstrand wrote: > On 01/04/2018 11:24 PM, Lou Wynn wrote: > but you add the requirement that all end users sending email to you > require to validate the auditing key as well (auditing is likely wrong > word, archiving is more likely relevant). for auditing you

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 11:14 PM, Lou Wynn wrote: > Compared to using two CAs, my design introduces two properties to a > certificate. One is the certificate type, which is "p" for a partner and > "e" for an employee. why not make it compatible with rfc4880 directly? your proposal would require client

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 02:59 PM, Kristian Fiskerstrand wrote: > On 01/04/2018 11:14 PM, Lou Wynn wrote: >> Compared to using two CAs, my design introduces two properties to a >> certificate. One is the certificate type, which is "p" for a partner and >> "e" for an employee. > why not make it compatible

Re: Modernizing Web-of-trust for Organizations

On 01/05/2018 01:04 AM, Lou Wynn wrote: > On 01/04/2018 02:57 PM, Kristian Fiskerstrand wrote: >> On 01/04/2018 11:24 PM, Lou Wynn wrote: >> but you add the requirement that all end users sending email to you >> require to validate the auditing key as well (auditing is likely wrong >> word,

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 04:31 PM, Lou Wynn wrote: > I think that I simplified my original description too much. The two > levels of protection works like this. > 1. The employee chooses his own password, which is used to encrypt his > private key. > > 2. Then the encrypted key is encrypted with the guard

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 04:06 PM, Kristian Fiskerstrand wrote: > But in the end it doesn't matter, as the organization anyways has access > to the private key material of the employee. So a third party "auditing > key" is irrespective of any access goals. > I guess that you've missed somewhere I said in my

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 11:24 PM, Lou Wynn wrote: > I guess that you missed the auditing key part. I introduced it to meet > auditing requirements or scanning of messages without using end user's > private keys. but you add the requirement that all end users sending email to you require to validate the

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 04:15 PM, Kristian Fiskerstrand wrote: > On 01/05/2018 01:12 AM, Lou Wynn wrote: >> I guess that you've missed somewhere I said in my previous posts that >> the end user chooses his own password to protect his key password, which >> is meant to prevent others from using his private

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 01:31 PM, Kristian Fiskerstrand wrote: > On 01/04/2018 10:21 PM, Lou Wynn wrote: >> After a client plugin logs in successfully, the server sends the user's >> encrypted email key to the client. > Aren't you better off with a gateway solution like PGP Universal / > Symantec Encryption

Re: Modernizing Web-of-trust for Organizations

On 01/05/2018 01:12 AM, Lou Wynn wrote: > I guess that you've missed somewhere I said in my previous posts that > the end user chooses his own password to protect his key password, which > is meant to prevent others from using his private keys. At which point I'm wondering about your priorities,

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 10:58 PM, Lou Wynn wrote: > It's doable, but I'd like to make sure that I understand what you > mean by "within corporate infrastructure?" Do you mean the client > plugin sends requests to the server to decrypt and verify received > messages? no, there isn't necessarily a client

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 02:04 PM, Kristian Fiskerstrand wrote: >> I don't think it necessary to use business unit level certifying keys in >> my design. It introduces management overhead which shadows its benefits. >> If you understand the concept of trust realm/trust group and its >> verification methods I

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 01:04 PM, Ben McGinnes wrote: > On Thu, Jan 04, 2018 at 12:40:59AM +, MFPA wrote: >> For example, my ISP [0] says "All staff keys are signed using the >> company signing key. This is very much like a traditional company >> seal. Only the director has access to this key and it is

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 10:38 PM, Lou Wynn wrote: > On 01/04/2018 03:02 AM, Kristian Fiskerstrand wrote: >> On 01/04/2018 02:34 AM, Lou Wynn wrote: >>> No, there is no business unit level certifying key. An enterprise only >>> has one root key, which is the ultimate certificate authority for its >>> own

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 02:08 PM, Kristian Fiskerstrand wrote: > no, there isn't necessarily a client plugin, the gateway decrypts the > message before it hits the internal email server, so end-user sees > un-encrypted message, this is protecting transport, but security of > on-site is ensures through

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 02:28 PM, Ben McGinnes wrote: > On Wed, Jan 03, 2018 at 05:34:30PM -0800, Lou Wynn wrote: >> The management of users' private key is a little more complicated. I >> use two levels of protection. One level is at the organization. An >> organization actually has a fourth key, which I

Re: GnuPG on Android [was: Re: FAQ and GNU]

Hi, note that a search for "Android" in wiki.gnupg.org would have shown you the Guardian port of GnuPG 2.1 to Android. (I've added additional details now.) Am Mittwoch 11 Oktober 2017 16:40:42 schrieb Daniel Kahn Gillmor: > here's the project i was thinking of that was farthest along in terms

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 12:25 AM, Andrew Gallagher wrote: >> On 4 Jan 2018, at 04:42, Lou Wynn wrote: >> >> It has a client key and uses it to log into the server, which is >> similar to SSH key authentication, to retrieve the private key after >> authentication. > This bit confuses me.

Re: Modernizing Web-of-trust for Organizations

On Thu, Jan 04, 2018 at 12:40:59AM +, MFPA wrote: > > For example, my ISP [0] says "All staff keys are signed using the > company signing key. This is very much like a traditional company > seal. Only the director has access to this key and it is only used > for signing other keys. If/when a

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 10:21 PM, Lou Wynn wrote: > After a client plugin logs in successfully, the server sends the user's > encrypted email key to the client. Aren't you better off with a gateway solution like PGP Universal / Symantec Encryption Server (or for that matter if GPGRelay is still alive) ?

Re: Modernizing Web-of-trust for Organizations

> On 4 Jan 2018, at 04:42, Lou Wynn wrote: > > It has a client key and uses it to log into the server, which is > similar to SSH key authentication, to retrieve the private key after > authentication. This bit confuses me. If you already store a private key locally, why use

Re: Obtaining Key Stubs From Smartcard

On 03/01/18 23:42, Bagel Alderman via Gnupg-users wrote: > Can anyone tell me why gpg --card-status isn't creating key stubs (even > after  the original stubs are deleted)? Could you post commands entered and their result? We can't tell what goes wrong just by this description. It has always

Re: Obtaining Key Stubs From Smartcard

Original Message Subject: Re: Obtaining Key Stubs From Smartcard Local Time: January 4, 2018 4:27 AM UTC Time: January 4, 2018 10:27 AM From: pe...@digitalbrains.com To: Bagel Alderman , gnupg-users@gnupg.org >Could you

Re: Modernizing Web-of-trust for Organizations

On 01/04/2018 02:34 AM, Lou Wynn wrote: > No, there is no business unit level certifying key. An enterprise only > has one root key, which is the ultimate certificate authority for its > own employees and business partners. I normally recommend separating those, as the value for external parties