Corporate public key?

Lukasz Stelmach Lukasz Stelmach <>
Tue Jul 8 19:06:03 2003

Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

 Byla godzina 12:33:26 w Tuesday 08 July, gdy do autobusu wsiadl kanar
 i wrzasnal:"Daniel Carrera!!! Bilecik do kontroli!!!" A on(a) na to:

DC> I want to suggest they use GPG, but honestly I'm not sure how they'd go=
DC> about doing that.
DC> The problem lies in how the user would authenticate ING.  Would ING=20
DC> have a corporate-wide GPG key?  You can't just have a single common=20
DC> passphrase for every employee in the bank.  And they can't have a=20
DC> different key for every employee, since that would be an authentication=
DC> nightmare for users.

IMHO it should be done like that:

* one corporate key (CK)
* few division keys (in each city?) (optional)
* each emplyee's key is signed with CK
* user/client's key is signed by employee after proper verificatuion
  (e.g. fingerprint said over phone)

Then we use web-of-trust. Each client may have different signature
on her/his key but even thoug it can be trusted because the one
who has signed it is an ING emplyee.

Czym sie cieplo Daniel...
|/       |_,  _   .-  --,  Ju=BF z ka=BFdej strony pe=B3zn=B1, potworne rz=
|__ |_|. | \ |_|. ._' /_.         B=EAd=EA uprawia=B3 nierz=B1d, za pieni=

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.2 (FreeBSD)