Corporate public key?
Daniel Carrera
dcarrera@math.umd.edu
Tue Jul 8 18:32:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
I've been looking at ING, and I think that they should be using GPG. ING is a
huge bank, but they deal with their customers entirely through the phone or the
internet.
Their website says that personal account information can only be given over the
phone because email is not secure.
I want to suggest they use GPG, but honestly I'm not sure how they'd go about
doing that. Authenticating the user is not a problem. They can ask for a
physical letter with my fingerprint and physical signature (which they have on
file) and then have me phone them, authenticate myself, and then verify the
signature over the phone.
The problem lies in how the user would authenticate ING. Would ING have a
corporate-wide GPG key? You can't just have a single common passphrase for every
employee in the bank. And they can't have a different key for every employee,
since that would be an authentication nightmare for users.
Does GPG have a solution for this kind of problem? Is there a way to have a
corporate signature?
If there is one, I will send a suggestion to ING.
Cheers,
- --
Daniel Carrera | OpenPGP fingerprint:
Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88
UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)
iD8DBQE/CvJVnxE8DWHf+OcRAjpjAJ0X6IHm/S6yWmT8A27cdhfrXhTRnACfe1Vc
7w50XjM7tyZmC+E/8Ms4CNg=
=kX0V
-----END PGP SIGNATURE-----