trust your corporation for keyowner identification?
dougb at dougbarton.us
Wed Oct 16 21:51:15 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 10/16/2013 05:04 AM, Brian J. Murrell wrote:
| If you worked in a corporate environment, would you trust the HR
| department there to have verified the identity of employees well
| enough to leverage that into signing a GPG key?
| Let's say such an environment had an messaging system where
| employees had to authenticate with their corporate IT credentials
| in order to use the system. Would that, and the assertion by HR/IT
| that a message that I get from Bob really did come from the
| employee HR verified as Bob (i.e. when they hired him) be enough
| for you trust the key you get from Bob enough to sign it that it
| really is really Bob's?
What would the purpose of such a signature be? Would you be
distributing your signature, or would it be local to your key ring? If
you're distributing the signature, would you distribute it only within
the company, or outside too? Are you talking about signing with your
personal key, or signing with your company key? If the latter, does
that key ever see the light of day outside the company?
Just to be clear, I'm not being snarky here. As others have said you
have asked an interesting question, but there are not enough details
(for me at least) to give you an answer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-users