Corporate public key?

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Wed Jul 9 10:11:02 2003 

--Boundary-02=_H68C/eZaul2BvpD
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

A really interesting thread!

On Tuesday 08 July 2003 18:33, Daniel Carrera wrote:

> Does GPG have a solution for this kind of problem?  Is there a way to have
> a corporate signature?

I'd think technically, this is no problem at all. A few things to think of

As Neil said: many people will sign the corporate key. This will probably l=
ook=20
ugly on the keyservers, but it doesn't really matter. And I guess the=20
'official' copy as distributed by the company would only include a few=20
signatures (CAs, a few key employees perhaps)

Also mentioned already: access to the secreet key(s): As we're speaking of =
a=20
bank, where access to protected content is an everyday occurence, I don't s=
ee=20
any problems. Just one more application on the desktop of the person at the=
=20
callcenter (and probably one more password sticking under the keyboard,=20
unless some single sign-on solution is use), which will send a 'sign this=20
key' request to some server. This server will then cause the signed public=
=20
key of the customer to be sent out by email.
=20
My biggest beef with gpg (and pk crypto in general): what does the signatur=
e=20
mean? Signature on an cusomers key means 'this persona has been identified =
by=20
the company'. Signature on an employees key means 'identified *and also* th=
is=20
person is an employee'. Signatures between role keys are more like 'this ke=
y=20
belongs to the company and should be used for this and that purpose'.=20
Solution? (1) use role keys. A master key of the company used only to certi=
fy=20
other role keys. A key only used to sign employees keys. A key used to sign=
=20
customers' keys. Document these roles. (2) use of policy URLs (this is what=
 I=20
do - every signature by my key has a policy URL explaining what the signatu=
re=20
means). In theory, policy URLs alone could be enough, but in practice, many=
=20
people don't see the policy URL when they see the signature.

I think the non-technical problems are much harder: get people to actually =
use=20
pgp/gpg. Get people to have a feeling for security, and to know how they=20
should verify the authenticity of the public key. Improving the UI does hel=
p,=20
but a big part is that people just don't care. Somebody got a fake SSL cert=
=20
for the Microsoft name from Verisign - was there a public uproar? No. A few=
=20
geeks laughed at Verisign, there was perhaps one or two 20-lines articles i=
n=20
the tech corner of the bigger newspapers, but nobody really cared.

To conclude: the technical problems can easily be solved - but your nice=20
solution won't gain acceptance by the majority of the customers. And I gues=
s=20
for .1% of the customers, ING won't deploy such a solution. Yes, I think th=
is=20
is sad and should be changed, too, and I wish you good luck.

So long
=2D- vbi

=2D-=20
Jack Nicklaus hit a golf shot that only gravity kept on this Earth.
        -- ESPN (the sports channel)

--Boundary-02=_H68C/eZaul2BvpD
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj8LzodgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJEIukMYvlp/fWOyIAoLSzWwxjthjQOahVqMwP7Ww4
1tO1AJ9FALoWvxlbfcLQ/VPmXIpkNLpLuA==
=xnbR
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e

--Boundary-02=_H68C/eZaul2BvpD--