On 01/04/2018 10:38 PM, Lou Wynn wrote: > On 01/04/2018 03:02 AM, Kristian Fiskerstrand wrote: >> On 01/04/2018 02:34 AM, Lou Wynn wrote: >>> No, there is no business unit level certifying key. An enterprise only >>> has one root key, which is the ultimate certificate authority for its >>> own employees and business partners. >> I normally recommend separating those, as the value for external parties >> that might want to trust this CA for certifying employees but not other >> third parties. > I don't think it necessary to use business unit level certifying keys in > my design. It introduces management overhead which shadows its benefits. > If you understand the concept of trust realm/trust group and its > verification methods I described before, then there is no need for a key > hierarchy at all. Can you describe a use case that demands the use of > unit level certifying key? I'll try to explain how to implement it with > trust realm and groups.
I didn't necessarily say businsess unit level CA, but separation between employee and business partner CAs. >> As for access to private key material, I normally recommend that the end >> user never has access to any secret key material, but only access to >> using subkeys (never the primary) using smartcard tokens. > I completely agree, and indeed in my system, an end user never needs to > directly access his secret key. Actually, he does not need to access his > public key either. This is what I mean by zero configuration on client > side, both for trust management and key management. > > Thanks, > Lou > -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Carpe noctem Seize the night
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users