Corporate public key?

CL Gilbert Lamont_Gilbert@RigidSoftware.com
Tue Jul 8 19:26:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Carrera wrote:
| Hello all,
|
| I've been looking at ING, and I think that they should be using GPG.
ING is a
| huge bank, but they deal with their customers entirely through the
phone or the
| internet.
|
| Their website says that personal account information can only be given
over the
| phone because email is not secure.
|

BS.  And a 4 digit phone pin which comes through snail mail is secure?

Lukasz has an excellent answer.  currently most online institutions I
deal with simply use a password.  this is much less secure than a pub key.

I would CERTAINLY LOVE to have they accept my public key for all of my
future authentication.

I have disabled ssh passwords on my Linux box in favor of gpg key logins
because they cant be hacked like a pwd.  plus I don't have to remember
them as long as I have my key with me.  I would love to have a ring with
a RFID in it that could authenticate me :D  but only if its my *choice*
and not a requirement.


| I want to suggest they use GPG, but honestly I'm not sure how they'd
go about
| doing that.  Authenticating the user is not a problem.  They can ask
for a
| physical letter with my fingerprint and physical signature (which they
have on
| file) and then have me phone them, authenticate myself, and then
verify the
| signature over the phone.
|
| The problem lies in how the user would authenticate ING.  Would ING
have a
| corporate-wide GPG key?  You can't just have a single common
passphrase for every
| employee in the bank.  And they can't have a different key for every
employee,
| since that would be an authentication nightmare for users.
|

well when you walk into the back to give then your publick key on disk,
they can give your theirs.  Then you will know every key signed by that
key is authorized to send you info.

| Does GPG have a solution for this kind of problem?  Is there a way to
have a
| corporate signature?
|

Indeed.


| If there is one, I will send a suggestion to ING.
|

Thats a good idea.  Maybe charge a consulting fee as well :)


| Cheers,
| --
| Daniel Carrera         | OpenPGP fingerprint:
| Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88
| UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



- --
Thank you,


CL Gilbert
Free Java interface to Freechess.org
http://www.rigidsoftware.com/Chess/chess.html
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org
Pretty Good Privacy (PGP) http://web.mit.edu/network/pgp.html, windows
users should try that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/Cv73VbJM14DSCi0RAjoeAKDiItrVR0LwNHMwuVI+6PfdTwDxqACffUoS
If/Eic/9Om3Rtx/aEk1LVfs=
=bKRc
-----END PGP SIGNATURE-----