"Dustin Puryear" <[EMAIL PROTECTED]> writes: > Speaking on a related issue, a problem I have with PGP is the inability to > have a central skeleton key, ala S/MIME with Exchange, which I think offers > that ability.
PGP is a different trust model. At my work -- which is Navy and therefore DOD site -- we use smart cards with PKI certs. That's an expensive infrastructure. PGP/GPG is predicated on the web of trust model. There are lots of arguments against a central skeleton key and rather than rehash them here, I'd so go read a bunch of old cypherpunks messages and Bruce Schneier, Lucky Green and other authors. Now for corporate email a skeleton key makes sense and I've seen some ways of getting that out of gpg but all are hacks of a sort > >> A possible workaround for your case is a password protected https >> site. send links to the recipients so authorized users can access the >> protected information in a (more) secure fashion. > > Yes, but if the email is intercepted then the supposedly protected file can > be downloaded. No net gain here. Okay, so what about authenticating the user > first? Great. Just email them their key and.. oh wait. How do I protect the > key in the email? Encrypt the email of course. So I just.. wait, I'm getting > dizzy. Yep. pre-shared keys/passphrases. presumably over a voice call. > Okay, the above is half a joke, but half the truth. What we are thinking of > doing now is using a Web-based download and mailing keys off using CDs. No one ever said security was easy ;) -- Scott Harney<[EMAIL PROTECTED]> "Asking the wrong questions is the leading cause of wrong answers" gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
