๐ณ๐ฑ
So I am currently restructuring my companies security policy and trying to get Open PGP as a central point in all this.
Any input on how others have structured their trust network inn a corperate setting.. How do you verify which keys are employees and what roles (such as deploying software) people have?
I have my own idea as to how im going to structure this but I'd love to hear other peoples thoughts first
This article explains the situation in its entirety:
https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
High security projects such as GrapheneOS have already dropped PGP and switched to the superior OpenBSD Signify, which does a much better job at PKI signing, in a much safer way:
https://www.openbsd.org/papers/bsdcan-signify.html
age can be used as a superior PGP PKI encryption replacement, again doing its job in a much better and safer way than PGP ever did or can:
https://github.com/FiloSottile/age
@inference Do either of these solutions have hardware encryption options similar to yubikey?
@freemo As DANE/CERT is obsolete in my eyes (https://dev.gnupg.org/T4618), I recommend WKD, if LDAP is out of the question for you. In contrast to a keyserver, the domain owner must play an active role in setting up WKD. This provides some kind of proof for the authenticity of the hosted public keys. Furthermore, 3rd party signatures are fetched over WKD, but not over HKPS (see: https://bugs.gentoo.org/878479). This allows for the setup of a centralised CA as done by the Gentoo Linux project (https://www.gentoo.org/glep/glep-0079.html). Here are some links that may provide some inspiration in this regard: https://youtu.be/RV1E_DjhCX0?t=1865 and https://sequoia-pgp.org/blog/2021/05/12/202105-hello-openpgp-ca/
