[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Good Enough?



We're looking at providing good tools for digital signatures on
e-mail here, for users that are interested. We plan to make available
PGP public keys in the student/staff X.500 directory, with suitable
tools for retrieving keys, etc. A couple questions have come up that
make me wonder what would be an acceptable service, at least given
the environment that we have to work with.

The first question has to do with key generation. One of the managers
was of the opinion that we could do the key generation for the user,
and either email or otherwise make the private key available to the 
user. The idea is to make it easy for the user to create their keys
by providing a web interface, etc. BTW, we're running Netscapes 
Commerce server so we could expect at least 40 bits of protection
(big deal, I know) on the passphrase transmission. The good enough
part is due to the idea that we're running a couple of large multi-
user machines, with all the risks those entail. Note also that 
we would not be keeping logs or otherwise compromising the keys
ourselves, this would strictly be a user-friendly way to get people
using signatures. We would also accept keys that users create themselves,
this would only be one option.

Second, the web of trust might also be useful, so we could sign
users keys to certify them. Has anyone worked in an organization
of some sort that has a structured approach to key certification
using PGP?

This is just in the preliminary talking stages at this point,
but I thought I'd toss these 2 ideas out for comments to see
what people here think.

 
-- 
Kevin L. Prigge        |"A computer lets you make more mistakes faster 
UofM Central Computing | than any invention in human history--with the 
email: [email protected] | possible exceptions of handguns and tequila."
01001101100010110010111|- Mitch Ratcliffe