So I am currently restructuring my companies security policy and trying to get Open PGP as a central point in all this.
Any input on how others have structured their trust network inn a corperate setting.. How do you verify which keys are employees and what roles (such as deploying software) people have?
I have my own idea as to how im going to structure this but I'd love to hear other peoples thoughts first
@inference Do either of these solutions have hardware encryption options similar to yubikey?
@freemo As DANE/CERT is obsolete in my eyes (https://dev.gnupg.org/T4618), I recommend WKD, if LDAP is out of the question for you. In contrast to a keyserver, the domain owner must play an active role in setting up WKD. This provides some kind of proof for the authenticity of the hosted public keys. Furthermore, 3rd party signatures are fetched over WKD, but not over HKPS (see: https://bugs.gentoo.org/878479). This allows for the setup of a centralised CA as done by the Gentoo Linux project (https://www.gentoo.org/glep/glep-0079.html). Here are some links that may provide some inspiration in this regard: https://youtu.be/RV1E_DjhCX0?t=1865 and https://sequoia-pgp.org/blog/2021/05/12/202105-hello-openpgp-ca/