trust your corporation for keyowner identification?

[Pete Stephenson]

On Wed, Oct 16, 2013 at 2:04 PM, Brian J. Murrell <brian at interlinx.bc.ca> wrote:
> If you worked in a corporate environment, would you trust the HR
> department there to have verified the identity of employees well enough
> to leverage that into signing a GPG key?

In general, I'd be fine with that. Corporations generally need a
fairly large amount of information about their employees (e.g. for tax
purposes) and so should be able to verify the identity of employees
with a high degree of confidence.

> Let's say such an environment had an messaging system where employees
> had to authenticate with their corporate IT credentials in order to use
> the system.  Would that, and the assertion by HR/IT that a message that
> I get from Bob really did come from the employee HR verified as Bob
> (i.e. when they hired him) be enough for you trust the key you get from
> Bob enough to sign it that it really is really Bob's?
>
> I guess what I am describing is a virtual key signing party where the
> verification of IDs is being done by the corporation instead of the
> individuals.

In my specific case, I only publicly sign (as opposed to locally sign)
keys when I have (a) personally met a person and verified their ID and
key fingerprint/details or (b) a person is well-known to me (e.g. a
family member, long time friend, etc.) and they provide me their key
fingerprint and communicate in a way that I can verify who they are
(e.g. I call them on the phone, recognize their voice, and they read
me their key fingerprint).

I would be reasonably sure that a key signed by an HR department
actually belongs to the named person, but I wouldn't publicly assert
that by signing their key.

Your mileage may vary. :)

Cheers!
-Pete