|
|
Log in / Subscribe / Register

Koch: A New Future for GnuPG

Koch: A New Future for GnuPG

Posted Jan 3, 2022 20:31 UTC (Mon) by karkhaz (subscriber, #99844)
Parent article: Koch: A New Future for GnuPG

> Although we support S/MIME, the majority of our customers decided in
> favor of the OpenPGP protocol, due to its higher flexibility and
> independence of a centralized public key infrastructure.

I assumed that a centralized PKI is exactly what enterprise/government customers would want to use, for ease of revocation/rotation/etc. It's quite surprising that these customers do see the benefit of OpenPGP, I wonder how the government makes it work (I don't suppose the civil servants are having keysigning parties...). This is very welcome news, anyway, congratulations!

to post comments

Koch: A New Future for GnuPG

Posted Jan 3, 2022 20:44 UTC (Mon) by NYKevin (subscriber, #129325) [Link]

It's easy to build your own centralized PKI on top of a decentralized system like OpenPGP. For example, designate one key as the CA-equivalent, tell everyone to mark that key as fully trusted (or more likely, have IT do it for them), and then use that key to sign all the other keys.

OTOH, building a decentralized system on top of a centralized system is substantially harder.

Koch: A New Future for GnuPG

Posted Jan 4, 2022 8:25 UTC (Tue) by taladar (subscriber, #68407) [Link]

GPG does support revocation certificates which allow the key owner to designate another key to generate a revocation certificate for it. That does allow a more central management of keys than would otherwise be possible.

Koch: A New Future for GnuPG

Posted Jan 4, 2022 8:53 UTC (Tue) by nilsmeyer (guest, #122604) [Link]

> I assumed that a centralized PKI is exactly what enterprise/government customers would want to use, for ease of revocation/rotation/etc. It's quite surprising that these customers do see the benefit of OpenPGP, I wonder how the government makes it work (I don't suppose the civil servants are having keysigning parties...).

Depends on the government agency, BSI uses it obviously, also some state data protection offices in Germany. There was an ill-fated attempt to build something for e-Mail (DE-Mail) that was a home grown solution, for healthcare there is something based on an x.509 PKI which is also not widely used, similarly there is something used by lawyers and courts (supposedly) also based on x.509 I believe. Fax and Mail still reign supreme in a lot of places.

The federally owned Bundesdruckerei (which also prints Euro notes for example) also offers S/MIME certificates, though barely anyone uses S/MIME.

It's not a comprehensive strategy - this is quite typical for Germany, what is unusual here is that the people in charge relied on an open standard instead of cooking up their own proprietary solution. I think it's quite an achievement actually to not only have a good technical solution in place but also to be able to convince a government agency to use it.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds