1

An auditor recommends: We recommend that PGP environment be re-keyed using the industry required (ISO x9.8 and x9.24) standards of “split-knowledge and dual control”

Is there something that we're missing?: this would require encrypted files to be decrypted with two people each time the key is accessed/loaded.

Are there use cases with PGP keys that this makes sense?

Leo
  • 1,038
  • 1
  • 8
  • 13

1 Answers1

0

If you have a company key that was used to sign people's individual keys, yes, it should be password protected and the password divided to at least two people. Individual keys should also be password protected, but split-knowledge is not necessary or recommended for most purposes.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • I agree, the only use cases we can think of are long term encryption items like backups. But that would use a different key rather than the same one used for an individual's email. – Leo Sep 10 '10 at 15:21