Keysigning a "corporate" key - how ?

Jason Harris
Thu Jan 16 21:09:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 16, 2003 at 11:11:01AM -0800, Matt Wronkiewicz wrote:
> > What would be the best for "corporate" ID verification ?
> same, to provide a better web of trust. This way the people at
> the key-signing event are not put in a position where they have
> to determine, from their own limited knowledge of your company,
> whether you are a trusted representative from your company or
> if you are trying to push a phony key.

Signatures from (alleged) employees still serve to "push" (i.e., certify)
the (alleged) corporate key.  This is good, not bad, but needs to be

I would also recommend the following:

a) publish the corporate key on the company website
b) publish the key via https secured with a CA-issued certificate, which
     shows that the issuing CA also checked your company records
c) verify key <-> email mappings for the corporate key (by accepting
     encrypted messages and signing outgoing messages)
d) sign employee keys with the corporate key (and revoke the signatures
     when employees leave)
e) put the key fingerprint on printed documents:  letterhead, brochures,
     business cards, etc.
f) verify the key fingerprint via phone when requested

Carefully consider who has access to the private key though.

Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it? | web:

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (FreeBSD)