Corporate public key?

malsyned@dennisx.cif.rochester.edu malsyned@dennisx.cif.rochester.edu
Tue Jul 8 19:11:02 2003


On Tue, 8 Jul 2003, Daniel Carrera wrote:
> The problem lies in how the user would authenticate ING.  Would ING have a 
> corporate-wide GPG key?  You can't just have a single common passphrase for every 
> employee in the bank.  And they can't have a different key for every employee, 
> since that would be an authentication nightmare for users.
> 
> Does GPG have a solution for this kind of problem?  Is there a way to have a 
> corporate signature?
> 
> If there is one, I will send a suggestion to ING.

This seems to be the same sort of scenario that Verisign deals with.  They 
have a certificate that belongs to "Verisign Corporation".  So that 
at least proves it's possible.

A corporate GPG key for ING could be handled in plenty of ways.  Certain
trusted employees are given the ability to access the private key of ING 
Corporation, either by giving them the password, or by giving their UNIX
account execute access to a SUID script.  There are plenty of ways to 
control access to the private key.

Some out-of-band mechanism could be used to verify ING's corporate 
fingerprint.  One can presume that their fingerprint would become widely 
known pretty quickly, making it hard to masquerade as them.  Perhaps the 
postal service provides a kind of certified mail that would guarantee the 
sender and recipient of a letter to you containing the fingerprint?  I'm 
not sure, but the issues are of the same level of complexity as them 
verifying your key.

An ING corporate key has added power when the WoT is taken into
consideration.  If ING's signing policy states that an ING signature on a
key means that the individual is an authorized agent of ING, you can be
sure that when you receive a communication from anyone who's key bears
ING's signature, that person is authorized to act on behalf of ING.  
Perhaps their UID would contain their corporate title:

uid  John Smith (Vice President of Security) <jsmith@ing.com>
sig    ING Corporation <ing@ing.com>

So now, when John Smith tells you he works for ING and that your loan was 
approved, you know it's true.

This use of the WoT along with a corporate signature means that very few 
people (perhaps just a guy in IT and a guy in HR) need access to 
ING's main private key in order to sign new employee's keys and revoke 
signatures on former employees when they leave the company.

I'm a CS undergrad and an expert in nothing, but to me this seems like a 
good and workable idea.

--Dennis Lambe