Corporate public key?

Adrian 'Dagurashibanipal' von Bidder
Wed Jul 9 10:11:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

A really interesting thread!

On Tuesday 08 July 2003 18:33, Daniel Carrera wrote:

> Does GPG have a solution for this kind of problem?  Is there a way to have
> a corporate signature?

I'd think technically, this is no problem at all. A few things to think of

As Neil said: many people will sign the corporate key. This will probably l=
ugly on the keyservers, but it doesn't really matter. And I guess the=20
'official' copy as distributed by the company would only include a few=20
signatures (CAs, a few key employees perhaps)

Also mentioned already: access to the secreet key(s): As we're speaking of =
bank, where access to protected content is an everyday occurence, I don't s=
any problems. Just one more application on the desktop of the person at the=
callcenter (and probably one more password sticking under the keyboard,=20
unless some single sign-on solution is use), which will send a 'sign this=20
key' request to some server. This server will then cause the signed public=
key of the customer to be sent out by email.
My biggest beef with gpg (and pk crypto in general): what does the signatur=
mean? Signature on an cusomers key means 'this persona has been identified =
the company'. Signature on an employees key means 'identified *and also* th=
person is an employee'. Signatures between role keys are more like 'this ke=
belongs to the company and should be used for this and that purpose'.=20
Solution? (1) use role keys. A master key of the company used only to certi=
other role keys. A key only used to sign employees keys. A key used to sign=
customers' keys. Document these roles. (2) use of policy URLs (this is what=
do - every signature by my key has a policy URL explaining what the signatu=
means). In theory, policy URLs alone could be enough, but in practice, many=
people don't see the policy URL when they see the signature.

I think the non-technical problems are much harder: get people to actually =
pgp/gpg. Get people to have a feeling for security, and to know how they=20
should verify the authenticity of the public key. Improving the UI does hel=
but a big part is that people just don't care. Somebody got a fake SSL cert=
for the Microsoft name from Verisign - was there a public uproar? No. A few=
geeks laughed at Verisign, there was perhaps one or two 20-lines articles i=
the tech corner of the bigger newspapers, but nobody really cared.

To conclude: the technical problems can easily be solved - but your nice=20
solution won't gain acceptance by the majority of the customers. And I gues=
for .1% of the customers, ING won't deploy such a solution. Yes, I think th=
is sad and should be changed, too, and I wish you good luck.

So long
=2D- vbi

Jack Nicklaus hit a golf shot that only gravity kept on this Earth.
        -- ESPN (the sports channel)

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)

Signature policy: