PGP & GPG Encryption

In the workplace, an employee may sign by hand a company document on behalf of the company. Legally with respect to external interests the company is responsible for consequences that may arise. Within the company, the employee who signed the document may be held accountable and answerable to the company, but not to external interests.

Using a digital signature that requires a pass phrase to be entered every time the signature is used, makes the person or people who know the pass phrase responsible to the company for consequences. Unlike a hand written signature, a digital signature can be used and be known by multiple people. If digital signatures are to carry the same weight as hand written signatures, only one person should know the pass phrase.

Some have suggested that pass phrases be maintained by an administrator who allocates pass phrases and keys to employees. The problem with this approach is that there are multiple people with knowledge of the pass phrases, making it problematic to hold individuals accountable, as it is too easy to suggest a leak in security.

Alternatively, when the individual employee is responsible for changing and keeping secret the pass phrase, it becomes very difficult to avoid accountability.

The down side to delegating full responsibility and thus full accountability is that keys are used for both signing and encrypting. When a document or email is encrypted, only the recipients of the email, and those for whom a document is intended may view the document. Senior management is responsible for the operation of the company and thus needs full access to correspondence and documentation.

This problem is not new, as an employee can write a letter, put it in an envelope, address it, put a stamp on, and post it. Unless there is a copy of the letter made, management may never have an audit trail of that piece of correspondence.

Ultimately, access to correspondence and documentation is a matter of trust that the employee will follow company procedures and create an audit trail.

The situation is no different when encryption is involved. To provide management with access and an audit trail, there nothing more required than company policies and procedures. These procedures could be something along the lines of: Whenever an encrypted correspondence is sent, that a BCC copy be sent to an internal company email account. This has the effect of providing a readable copy of the correspondence or email message. In the case of an encrypted document, an unencrypted copy be kept, or when no unencrypted version is desirable encrypted copies be sent to a company email account, or to relevant persons within the company.

Note that the sender of encrypted correspondence and documents can not read the correspondence and documents. Only the recipients may read. For the sender to keep a readable copy of an encrypted email, they may BCC or CC themselves. This will put in their inbox a copy that is readable with their own private pass phrase.

     Recomendations
  1. The individual employee be responsible for changing and keeping secret the pass phrase for their key
  2. Create one or more separate encryption key/s and one email account for each key to be used solely for this special purpose, for example create a key for audit@company.com where <audit> is an email account at your <company.com> domain
  3. Inform employees that they are to create an audit trail.
  4. When an email message is encrypted, send a BCC copy to audit@company.com
  5. For encrypted documents, create an encrypted copy for audit@company.com with 'audit' in the name of the file
  6. Forward all incoming encrypted correspondence to audit@company.com

These recommendations are a guide only to provide a starting point from which company specific policies can be developed.

The benefit of having one or more special purpose email accounts each with their own encryption key, is that these email accounts are company property, are not used for signing or encrypting, are only used for reading, may be accessed by multiple people, persist for the life of the company, and need not exist on public key servers. Individuals can be held just as accountable using a digital signature as they were with a hand written signature.

Using this approach, just as a person's hand written signature belongs to the individual, so too is the encryption key the property of the individual and not the company. Thus GPG & PGP keys stay with the individual for life. While it is possible for a company to allocate keys to employees, the usefulness and strength of such keys is diminished. Keys that stay with an individual for life, have the benefit of full participation in the web of trust.

It works like this: An individual establishes a personal key. That key is validated and strengthened by participation in the web of trust. Throughout their lifetime, an individual adds and removes email accounts to and from the key. When they commence work at a new job, they add their new company email account to their key. Upon leaving that company, they remove that email address from their key.

For the company there is no risk with past employees, as first line security such as building access is removed, and computer account passwords changed. This should be sufficient to prevent any access to secure data. If not then general security needs re-evaluation. By implementing measures as suggested above, company management should have access to any documents they desire. As for malicious damage, a company can never protect itself from that, and nothing has changed with the advent of encryption, it is neither harder nor easier to hide things. As has always been the case, it is the individual to whom responsibility should be delegated, and to the individual that corresponding levels of accountability should be exacted.

GPG Encryption Documentation

@MEMBER OF PROJECT HONEY POT
Spam Harvester Protection Network
provided by Unspam
 CAUBE
Web Master Site Map Terms of Service Valid XHTML 1.0 Transitional Valid Cascading Style Sheet