Corporate public key?

Dennis Lambe Jr. malsyned@cif.rochester.edu
Tue Jul 8 21:04:03 2003 

--=-l21bMV1gMiPFG7sXMvoI
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2003-07-08 at 14:39, Neil Williams wrote:
> I've imported public keys with some 700 signatures, but for WoT to work a=
t the=20
> customer end, wouldn't every customer (including potential customers who =
may=20
> be turned down for loans, credit etc.) have to sign the corporate ING key=
?=20
> That could be a few thousand. A key in my public ring only activates the =
WoT=20
> if there is a path from my key to the target key (of a short-ish length).=
 The=20
> path cannot begin until I've signed the ING key or a key that has also si=
gned=20
> the ING key. Is it practical to put in the policy that customers only sig=
n=20
> the ING key as non-exportable? Or must ING maintain the key and delete=20
> customer exportable signatures?

A non-exportable signature on the main ING key, and an assigned amount
of trust in that key's controlling entity, is all a customer needs to
have.  Signing a key non-exportably is the ideal way to tell GnuPG you
trust a key without telling anyone else that you think they should agree
with you.

A fact of the WoT is that anyone is free to sign a key exportably
though.  This is NOT a problem.  If someone signs your key, that doesn't
hurt your key at all.  It can either help it, or have no affect.  It may
affect how much other people rely on that person as a competent signer,
but that's all.  Apart from file size, there's no reason to worry about
a key collecting useless signatures.

> The UID details are not exactly hard to forge, the security should really=
 be=20
> left to the fingerprint and signatures. If the email is signed (or prefer=
ably=20
> signed and encrypted). then the contents of the email, including the addr=
ess=20
> and contact details of the person at ING, can be verified with the signat=
ure=20
> - bad signature and the customer must ask for confirmation from a central=
=20
> support address at ING.

The contents of a UID are as hard to forge as any other party of a GnuPG
key.  (That is, very hard.)  Signatures on a key are applied to a hash
of the combination of the public key and the UID, so once I've signed a
UID claiming that someone is the "VP of Harassment", they can't change
the data in that UID to read "VP of Promotion" without invalidating all
signatures on that UID.

If ING has signed a key which says it belongs to John Smith, VP of
Security, then you can know that John Smith really is the VP of Security
for ING.  That is, unless the person in charge of keysignings at ING is
irresponsible or malicious, in which case we've got much bigger
problems.

--Dennis Lambe

--=-l21bMV1gMiPFG7sXMvoI
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html

iD8DBQA/CxYw+yh/ThbejSgRAuCvAKCRnsBdIDd12tOERnyU/10o5eCRwgCeK4Wa
3ze0M/79zWXVGwl+C2gnN7Y=
=MSqz
-----END PGP SIGNATURE-----

--=-l21bMV1gMiPFG7sXMvoI--