Corporate public key?
Tue Jul 8 20:37:02 2003
Content-Description: signed data
On Tuesday 08 Jul 2003 6:13 pm, firstname.lastname@example.org wrote:
> On Tue, 8 Jul 2003, Daniel Carrera wrote:
> An ING corporate key has added power when the WoT is taken into
> consideration. If ING's signing policy states that an ING signature on a
> key means that the individual is an authorized agent of ING, you can be
> sure that when you receive a communication from anyone who's key bears
> ING's signature, that person is authorized to act on behalf of ING.
I've imported public keys with some 700 signatures, but for WoT to work at =
customer end, wouldn't every customer (including potential customers who ma=
be turned down for loans, credit etc.) have to sign the corporate ING key?=
That could be a few thousand. A key in my public ring only activates the Wo=
if there is a path from my key to the target key (of a short-ish length). T=
path cannot begin until I've signed the ING key or a key that has also sign=
the ING key. Is it practical to put in the policy that customers only sign=
the ING key as non-exportable? Or must ING maintain the key and delete=20
customer exportable signatures?
> Perhaps their UID would contain their corporate title:
> uid John Smith (Vice President of Security) <email@example.com>
> sig ING Corporation <firstname.lastname@example.org>
> So now, when John Smith tells you he works for ING and that your loan was
> approved, you know it's true.
The UID details are not exactly hard to forge, the security should really b=
left to the fingerprint and signatures. If the email is signed (or preferab=
signed and encrypted). then the contents of the email, including the addres=
and contact details of the person at ING, can be verified with the signatur=
=2D bad signature and the customer must ask for confirmation from a central=
support address at ING.
> This use of the WoT along with a corporate signature means that very few
> people (perhaps just a guy in IT and a guy in HR) need access to
> ING's main private key in order to sign new employee's keys and revoke
> signatures on former employees when they leave the company.
> I'm a CS undergrad and an expert in nothing, but to me this seems like a
> good and workable idea.
> --Dennis Lambe
Just how practical ING will see it, we can only wait.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----