trust your corporation for keyowner identification?

[David Shaw]

On Oct 16, 2013, at 8:04 AM, "Brian J. Murrell" <brian at interlinx.bc.ca> wrote:

> If you worked in a corporate environment, would you trust the HR
> department there to have verified the identity of employees well enough
> to leverage that into signing a GPG key?
> 
> Let's say such an environment had an messaging system where employees
> had to authenticate with their corporate IT credentials in order to use
> the system.  Would that, and the assertion by HR/IT that a message that
> I get from Bob really did come from the employee HR verified as Bob
> (i.e. when they hired him) be enough for you trust the key you get from
> Bob enough to sign it that it really is really Bob's?
> 
> I guess what I am describing is a virtual key signing party where the
> verification of IDs is being done by the corporation instead of the
> individuals.

It's an interesting question, but it would not be enough for me.  If you think about it, this is effectively the same as Alice signing Baker's key, and then Charlie signing Baker's key because Charlie knows Alice (and not necessarily Baker).  If I were Charlie, I would not be willing to sign Baker's key, even if I knew and trusted Alice, without verifying Baker myself.

A somewhat related case would be when the corporation itself has a corporate signing key and on HR/IT approval, signs employee keys.  (This sort of thing is one of the classic uses for trust signatures).  In that case, you can either trust the corporate signing key or not, as you like.

David