On Wed 2016-08-03 20:37:00 -0400, taltman wrote: > 1. Create a new GPG keyring specific for my identity with my employer > 2. Cross-sign my existing personal GPG key with the employer-specific > GPG key > 3. Do proper key hygiene things (backups, revocation certs, etc.) on > employer-specific key
yes, this is a sensible plan.
> It seems with this set-up I can simply just turn over the password to
> the private key of the employer-specific GPG keyring if I'm ever
> obligated to give them access to their files. This keeps a nice clean
> separation between their property, and my personal GPG keyring. When it
> comes time to end my time at the employer, I can revoke the
> employer-specific key. If I no longer am able to use the
> employer-specific GPG keyring, I can at least revoke my signature of the
> employer-specific keyring if my former employer gains the password to
> the keyring.
Even better -- if you need to leave the workplace, you can:
0) revoke the primary key entirely and publish the revocation.
1) destroy the primary secret key.
2) give your employers the secret key material for the
*encryption-capable* subkey only.
The rationale for this is that while they may need access to your
confidential work-related communications, they don't need to be able to
masquerade as you (signing documents, certifying other keys, etc).
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
