Keysigning a "corporate" key - how ?

greg@turnstep.com greg@turnstep.com
Thu Jan 16 21:24:01 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message


> I'll be attending a keysigning party today...
> 
> What would be the best for "corporate" ID verification ? We're a
> Canadian company and as such our company records show up at
> Strategis.gc.ca (Industry Canada's corporations directory) and a
> provincial site too (www.igif.gouv.qc.ca). However, what physical
> proof(s) would be recognized by the most people (including
> non-locals), in your opinion ?

I am not comfortable with signing a "corporate" ID, but an additional 
check would be to put something unique on the company's web page, 
under the assumption that nobody but the company has control over 
that domain. For example, if I were at the party, I would give you 
a secret phrase. You would then encrypt the phrase (to me only), 
sign it with the corporate key, and then post the encrypted (armored) 
text somewhere on the website, preferably somewhere prominent to 
prevent some lone employee from creating obscure URLs. I would check 
the page, decrypt the message, verify the phrase, and check that it 
was made by the same key as the one at the key signing. Listing the 
key in the whois record would be a nice touch as well. After all that, 
I probably would not have signed it :), but I think it constitutes 
at least some additional assurances.

--
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200301161520

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE+JxTXvJuQZxSWSsgRArc7AKDlk1ShAxaLbUj420epeFbSzknNTQCgyel0
dR5vTcm4Om8lPVgLlWFy8SI=
=O5Wd
-----END PGP SIGNATURE-----