Corporate public key?
Wed Jul 9 22:00:02 2003
>Date: Wed, 9 Jul 2003 09:50:11 -0400
>From: darren chamberlain <firstname.lastname@example.org>
>Subject: Re: Gnupg-users digest, Vol 1 #1332 - 9 msgs
>* vedaal at hush.com <vedaal at hush.com> [2003-07-09 08:21]:
>> to tie it to the revoking key, is a possiblity, but one that opens
>> security issues about protecting the revocation certificate
>Yeah, if only banks had, like, safe deposit boxes or something...
yeah, but the *online* bank in question may not have one in a location
that is reachable quickly enough
still, it could be made to work ...
if the revocation certificate is generated at the time the account is
and the revocation certificate is armored-signed by the account-user's
key, and sent to the bank with the instruction that, in the event of
a key compromise, the bank should require an exact copy of the signed
revocation certificate in order to re-open the account.
a very nice, and possibly under-utilized, property of open pgp signed
messages, (and encrypted messages), is that the message block or signature
block is unique.
re-signing the same exact clear-text with the same exact key, even with
the computer altered time to match the time of the original signing,
will have an infinitesmal chance of matching the original signed message
block or signature block,
so even if the key becomes compromised and an attacker produces a new
revocation certificate, it cannot be used to re-access the account
the authentic user can print out the original signed revocation certificate,
fax it to the bank, and then proceed to set-up a new replacement key
with a new certificate.
can be made to be do-able if the bank wants to trouble-shoot and set
it up, and the users agree to it ...
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program: