Gnupg-users digest, Vol 1 #1332 - 9 msgs

vedaal@hush.com vedaal@hush.com
Tue Jul 8 23:55:02 2003



>Message: 2
>Subject: Re: Corporate public key?
>From: "Dennis Lambe Jr." <malsyned@cif.rochester.edu>
>Reply-To: malsyned@cif.rochester.edu
>To: Neil Williams <linux@codehelp.co.uk>
>Cc: gnupg-users@gnupg.org
>Organization: 
>Date: 08 Jul 2003 15:06:25 -0400

[...]

>If ING has signed a key which says it belongs to John Smith, VP
>of
>Security, then you can know that John Smith really is the VP of
>Security
>for ING.  That is, unless the person in charge of keysignings at
>ING is
>irresponsible or malicious, in which case we've got much bigger
>problems.

[...]

the entire corporate issue, while it would bring open pgp into everyday
commercial practice, is fraught with practical difficulties that must
be given a great deal of thought before implementing:

[1] what happens when the person already has a sizeable amount of money
deposited, and then loses the key or passphrase, 
(and lost the backups too),
is there an alternate physical means of identification to restore account
access?

[2] similarly, if the key gets compromised ,
(net-crackers that can have bank account access if they harvest keys
and passphrases, may then consider keys a priority target ...)
the key can be revoked, but how is the new account re-generated.

to tie it to the revoking key, is a possiblity, but one that opens new
security issues about protecting the revocation certificate


interesting to see what becomes of the idea...

with Respect,

vedaal

 




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427