GnuPG in the enterprise

[Dan Nelson]

In the last episode (Jun 15), Tony Shadwick said:
> Are there any good documents out there on managing GnuPG in the
> enterprise?
> 
> There are basic issues I need to be able to address, such as a
> situation when an employee leaves a company.  The admin needs to have
> the rights to revoke that user's public key, and be able decrypt any
> old messages to that user, and be able to decrypt messages sent to
> that user that are now being redirected to someone else for handling.
> 
> Are there established mechanisms for handling centralized key
> management in a company to where the Administrator has access to
> everything required?

One solution is to make a copy of all keys (with known passphrases)
when they are created, and put the copy in a secure location.  If an
employee leaves suddenly, you can retrieve the key to decrypt leftover
files and revoke the key.  Pgp.com's Windows PGP software uses special
Revoker keys and Additional Decryption keys that get added when files
are signed, so files are always encrypted to multiple recipients and
keys are always revokable even if the original key no longer exists. 
gpg doesn't recognize ADKs, though.

-- 
	Dan Nelson
	dnelson at allantgroup.com