The hardest part of using PGP, key management, doesn't scale well in large organizations. We solved this problem at First Look Media (where there are over 200 PGP users) with GPG Sync. We maintain a keylist, and everyone subscribes to it, so everyone has the latest public key for everyone else.
I'm excited to announce that we've submitted a draft RFC that will turn GPG Sync into an internet standard!
Check this out: https://tech.firstlook.media/keylist-rfc-explainer
GPG Sync is a program you install on your computer and can subscribe to keylists. It calls out to `gpg` to import all of the keys on your keylists on a regular basis.
I'm excited about keylists being an internet standard so that OpenPGP software that doesn't use GnuPG can support it too, like OpenKeychain on Android, or Mailvelope, or anything built on the new Sequoia-PGP rust library.
Also, it'd be awesome if GPG Tools, Enigmail, etc. allowed you to subscribe to keylists directly.
Here's the text of the draft RFC if you're interested in how it works or want to get involved:
Big thanks to @rmrm who actually wrote the RFC and did most of the work as his FLM intern project. Nat Welch and I helped a little too :).
@bob not alone, because keylists are just lists of fingerprints. It still relies on keyservers to fetch the public keys.
But it will be completely compatible with whatever replacement for keyservers gets built in the future.
@micahflee You could have just had one key for the organization that signs all other keys and mark this as fully trusted. When you then enable the WoT mode, they will all be trusted because they're signed.
@js this is recommended as part of the RFC, and also what we do at FLM. It makes it so we can have an internal web of trust that scales linearly as opposed to exponentially (keysigning parties).
However it doesn't make it so everyone has everyone else's correct public key. If there's a new remote employee I haven't talked to you and I need to write them an email, with GPG Sync I can just write them an encrypted email and not think about it. Otherwise I'd have to first go find their key
@micahflee I see. So the problem you're solving is not so much that of trust, but making sure to always have all public keys readily available. Makes sense.
@js yup. And if someone revokes their old key and switches to a new one, everyone else doesn't even have to be aware of it, they keep emailing and it just works. Or if someone's key expires and they update the expiration date, everyone else doesn't need to manually refresh that key.
The idea is to remove the complexity and hassle of key management from *everyone* to like one or two PGP nerds who like this stuff.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!