Corporate public key?

Neil Williams linux@codehelp.co.uk
Tue Jul 8 20:37:02 2003 

--Boundary-02=_Q/wC/m6pf8KdLY+
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 08 Jul 2003 6:13 pm, malsyned@dennisx.cif.rochester.edu wrote:
> On Tue, 8 Jul 2003, Daniel Carrera wrote:

> An ING corporate key has added power when the WoT is taken into
> consideration.  If ING's signing policy states that an ING signature on a
> key means that the individual is an authorized agent of ING, you can be
> sure that when you receive a communication from anyone who's key bears
> ING's signature, that person is authorized to act on behalf of ING.

I've imported public keys with some 700 signatures, but for WoT to work at =
the=20
customer end, wouldn't every customer (including potential customers who ma=
y=20
be turned down for loans, credit etc.) have to sign the corporate ING key?=
=20
That could be a few thousand. A key in my public ring only activates the Wo=
T=20
if there is a path from my key to the target key (of a short-ish length). T=
he=20
path cannot begin until I've signed the ING key or a key that has also sign=
ed=20
the ING key. Is it practical to put in the policy that customers only sign=
=20
the ING key as non-exportable? Or must ING maintain the key and delete=20
customer exportable signatures?


> Perhaps their UID would contain their corporate title:
>
> uid  John Smith (Vice President of Security) <jsmith@ing.com>
> sig    ING Corporation <ing@ing.com>
>
> So now, when John Smith tells you he works for ING and that your loan was
> approved, you know it's true.

The UID details are not exactly hard to forge, the security should really b=
e=20
left to the fingerprint and signatures. If the email is signed (or preferab=
ly=20
signed and encrypted). then the contents of the email, including the addres=
s=20
and contact details of the person at ING, can be verified with the signatur=
e=20
=2D bad signature and the customer must ask for confirmation from a central=
=20
support address at ING.

> This use of the WoT along with a corporate signature means that very few
> people (perhaps just a guy in IT and a guy in HR) need access to
> ING's main private key in order to sign new employee's keys and revoke
> signatures on former employees when they leave the company.
> I'm a CS undergrad and an expert in nothing, but to me this seems like a
> good and workable idea.
>
> --Dennis Lambe

Just how practical ING will see it, we can only wait.

=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/


--Boundary-02=_Q/wC/m6pf8KdLY+
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/Cw/QiAEJSii8s+MRApFAAKCGCXzzGcvnpWM5H2GfekepTHpCWgCgtBLg
Nu2YMEyNUeBAbURc55+PoLM=
=grSL
-----END PGP SIGNATURE-----

--Boundary-02=_Q/wC/m6pf8KdLY+--