Corporate public key?

Neil Williams
Tue Jul 8 20:37:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 08 Jul 2003 6:13 pm, wrote:
> On Tue, 8 Jul 2003, Daniel Carrera wrote:

> An ING corporate key has added power when the WoT is taken into
> consideration.  If ING's signing policy states that an ING signature on a
> key means that the individual is an authorized agent of ING, you can be
> sure that when you receive a communication from anyone who's key bears
> ING's signature, that person is authorized to act on behalf of ING.

I've imported public keys with some 700 signatures, but for WoT to work at =
customer end, wouldn't every customer (including potential customers who ma=
be turned down for loans, credit etc.) have to sign the corporate ING key?=
That could be a few thousand. A key in my public ring only activates the Wo=
if there is a path from my key to the target key (of a short-ish length). T=
path cannot begin until I've signed the ING key or a key that has also sign=
the ING key. Is it practical to put in the policy that customers only sign=
the ING key as non-exportable? Or must ING maintain the key and delete=20
customer exportable signatures?

> Perhaps their UID would contain their corporate title:
> uid  John Smith (Vice President of Security) <>
> sig    ING Corporation <>
> So now, when John Smith tells you he works for ING and that your loan was
> approved, you know it's true.

The UID details are not exactly hard to forge, the security should really b=
left to the fingerprint and signatures. If the email is signed (or preferab=
signed and encrypted). then the contents of the email, including the addres=
and contact details of the person at ING, can be verified with the signatur=
=2D bad signature and the customer must ask for confirmation from a central=
support address at ING.

> This use of the WoT along with a corporate signature means that very few
> people (perhaps just a guy in IT and a guy in HR) need access to
> ING's main private key in order to sign new employee's keys and revoke
> signatures on former employees when they leave the company.
> I'm a CS undergrad and an expert in nothing, but to me this seems like a
> good and workable idea.
> --Dennis Lambe

Just how practical ING will see it, we can only wait.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)