trust your corporation for keyowner identification?

Brian J. Murrell brian at
Wed Oct 16 14:04:39 CEST 2013

If you worked in a corporate environment, would you trust the HR
department there to have verified the identity of employees well enough
to leverage that into signing a GPG key?

Let's say such an environment had an messaging system where employees
had to authenticate with their corporate IT credentials in order to use
the system.  Would that, and the assertion by HR/IT that a message that
I get from Bob really did come from the employee HR verified as Bob
(i.e. when they hired him) be enough for you trust the key you get from
Bob enough to sign it that it really is really Bob's?

I guess what I am describing is a virtual key signing party where the
verification of IDs is being done by the corporation instead of the


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131016/a1e94a84/attachment-0001.sig>

More information about the Gnupg-users mailing list