trust your corporation for keyowner identification?

Paul R. Ramer free10pro at gmail.com
Mon Nov 11 18:56:15 CET 2013


Leo Gaspard <ekleog at gmail.com> wrote:
>However, to come back to the initial problem, I still believe the key
>change
>problem (ie. owner of K1 switchs to K2) does not require re-verifying
>ownership
>etc. (BTW, isn't this also why transition statements, like
>https://we.riseup.net/assets/77263/key%20transition were written ?)
>
>But I still wonder how one should deal with key duplication (ie. owner
>of K1 now
>has a second key K2)...

I would verify ownership before signing.  Just as I would read a document before signing it even if I was told what was in it by someone I know.

It is not hard to do and it would be easy to justify. The other way, IMO, requires more effort to justify.

There is nothing special about this scenario that makes it require less thoroughness than any other key signing scenario.  Do things thoroughly and correctly.  It is that simple.

Cheers,

--Paul
--
PGP: 3DB6D884



More information about the Gnupg-users mailing list