Keysigning a "corporate" key - how ?
Thu Jan 16 21:09:02 2003
Content-Type: text/plain; charset=us-ascii
On Thu, Jan 16, 2003 at 11:11:01AM -0800, Matt Wronkiewicz wrote:
> > What would be the best for "corporate" ID verification ?
> same, to provide a better web of trust. This way the people at
> the key-signing event are not put in a position where they have
> to determine, from their own limited knowledge of your company,
> whether you are a trusted representative from your company or
> if you are trying to push a phony key.
Signatures from (alleged) employees still serve to "push" (i.e., certify)
the (alleged) corporate key. This is good, not bad, but needs to be
I would also recommend the following:
a) publish the corporate key on the company website
b) publish the key via https secured with a CA-issued certificate, which
shows that the issuing CA also checked your company records
c) verify key <-> email mappings for the corporate key (by accepting
encrypted messages and signing outgoing messages)
d) sign employee keys with the corporate key (and revoke the signatures
when employees leave)
e) put the key fingerprint on printed documents: letterhead, brochures,
business cards, etc.
f) verify the key fingerprint via phone when requested
Carefully consider who has access to the private key though.
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
firstname.lastname@example.org | web: http://jharris.cjb.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
-----END PGP SIGNATURE-----