Keysigning a "corporate" key - how ?
Thu Jan 16 21:24:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
NotDashEscaped: You need GnuPG to verify this message
> I'll be attending a keysigning party today...
> What would be the best for "corporate" ID verification ? We're a
> Canadian company and as such our company records show up at
> Strategis.gc.ca (Industry Canada's corporations directory) and a
> provincial site too (www.igif.gouv.qc.ca). However, what physical
> proof(s) would be recognized by the most people (including
> non-locals), in your opinion ?
I am not comfortable with signing a "corporate" ID, but an additional
check would be to put something unique on the company's web page,
under the assumption that nobody but the company has control over
that domain. For example, if I were at the party, I would give you
a secret phrase. You would then encrypt the phrase (to me only),
sign it with the corporate key, and then post the encrypted (armored)
text somewhere on the website, preferably somewhere prominent to
prevent some lone employee from creating obscure URLs. I would check
the page, decrypt the message, verify the phrase, and check that it
was made by the same key as the one at the key signing. Listing the
key in the whois record would be a nice touch as well. After all that,
I probably would not have signed it :), but I think it constitutes
at least some additional assurances.
Greg Sabino Mullane email@example.com
PGP Key: 0x14964AC8 200301161520
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----