trust your corporation for keyowner identification?

Robert J. Hansen rjh at
Wed Oct 16 20:10:51 CEST 2013

> If you worked in a corporate environment, would you trust the HR
> department there to have verified the identity of employees well enough
> to leverage that into signing a GPG key?

This is the wrong question, really.

HR is pretty good about verifying identity documents.  HR gets  
specialized training in what proper identity documents look like and  
HR typically has ways to check those documents with the government.   
Even small firms do a lot of identity verification -- in the United  
States you can't legally work without presenting your employer with a  
passport (or, alternately, a driver's license and Social Security  
card).  Not even a McDonald's or a 7-11 will let you work there  
without providing them with those documents.

But HR is probably really bad about understanding the nuances of the  
Web of Trust, what it means to make a certification, whether a  
certification should be made at all, what level of certification  
should be made, and so forth.  The limiting factor here is  
technological skill, not document verification.

That said, I've worked for two companies that did this and did it  
quite competently.

I haven't kept up with PGP since they got bought out by Symantec, but  
I know that from at least '95 to '05 they would issue corporate  
signatures to employee certificates, if the employee requested it.   
They did this so that other users could be confident in who was really  
an employee of PGP Security and who wasn't.

More information about the Gnupg-users mailing list