trust your corporation for keyowner identification?
Robert J. Hansen
rjh at sixdemonbag.org
Wed Oct 16 20:10:51 CEST 2013
> If you worked in a corporate environment, would you trust the HR
> department there to have verified the identity of employees well enough
> to leverage that into signing a GPG key?
This is the wrong question, really.
HR is pretty good about verifying identity documents. HR gets
specialized training in what proper identity documents look like and
HR typically has ways to check those documents with the government.
Even small firms do a lot of identity verification -- in the United
States you can't legally work without presenting your employer with a
passport (or, alternately, a driver's license and Social Security
card). Not even a McDonald's or a 7-11 will let you work there
without providing them with those documents.
But HR is probably really bad about understanding the nuances of the
Web of Trust, what it means to make a certification, whether a
certification should be made at all, what level of certification
should be made, and so forth. The limiting factor here is
technological skill, not document verification.
That said, I've worked for two companies that did this and did it
I haven't kept up with PGP since they got bought out by Symantec, but
I know that from at least '95 to '05 they would issue corporate
signatures to employee certificates, if the employee requested it.
They did this so that other users could be confident in who was really
an employee of PGP Security and who wasn't.
More information about the Gnupg-users