On 01/04/2018 02:34 AM, Lou Wynn wrote: > No, there is no business unit level certifying key. An enterprise only > has one root key, which is the ultimate certificate authority for its > own employees and business partners.
I normally recommend separating those, as the value for external parties that might want to trust this CA for certifying employees but not other third parties. As for access to private key material, I normally recommend that the end user never has access to any secret key material, but only access to using subkeys (never the primary) using smartcard tokens. Wrt your other discussion of ssh based scheme, an alternative for escrow is actually using gnupg 2.1's gpg-agent through SSH socket forwarding so key material never is available locally, a system could theoretically be set up in a restricted setup so user doesn't actually get access to the key material (but it would require some setup to ensure they don't have it, so smartcard is generally easier) -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Carpe noctem Seize the night
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users