Corporate public key?
Lukasz Stelmach <Lukasz.Stelmach@k.telmark.waw.pl>
Tue Jul 8 19:06:03 2003
Content-Type: text/plain; charset=iso-8859-2
Byla godzina 12:33:26 w Tuesday 08 July, gdy do autobusu wsiadl kanar
i wrzasnal:"Daniel Carrera!!! Bilecik do kontroli!!!" A on(a) na to:
DC> I want to suggest they use GPG, but honestly I'm not sure how they'd go=
DC> about doing that.
DC> The problem lies in how the user would authenticate ING. Would ING=20
DC> have a corporate-wide GPG key? You can't just have a single common=20
DC> passphrase for every employee in the bank. And they can't have a=20
DC> different key for every employee, since that would be an authentication=
DC> nightmare for users.
IMHO it should be done like that:
* one corporate key (CK)
* few division keys (in each city?) (optional)
* each emplyee's key is signed with CK
* user/client's key is signed by employee after proper verificatuion
(e.g. fingerprint said over phone)
Then we use web-of-trust. Each client may have different signature
on her/his key but even thoug it can be trusted because the one
who has signed it is an ING emplyee.
Czym sie cieplo Daniel...
|/ |_, _ .- --, Ju=BF z ka=BFdej strony pe=B3zn=B1, potworne rz=
|__ |_|. | \ |_|. ._' /_. B=EAd=EA uprawia=B3 nierz=B1d, za pieni=
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
-----END PGP SIGNATURE-----