trust your corporation for keyowner identification?

Brian J. Murrell brian at
Wed Oct 16 22:19:19 CEST 2013

On 13-10-16 03:51 PM, Doug Barton wrote:
> On 10/16/2013 05:04 AM, Brian J. Murrell wrote:
> | If you worked in a corporate environment, would you trust the HR
> | department there to have verified the identity of employees well
> | enough to leverage that into signing a GPG key?
> |
> | Let's say such an environment had an messaging system where
> | employees had to authenticate with their corporate IT credentials
> | in order to use the system.  Would that, and the assertion by HR/IT
> | that a message that I get from Bob really did come from the
> | employee HR verified as Bob (i.e. when they hired him) be enough
> | for you trust the key you get from Bob enough to sign it that it
> | really is really Bob's?

So yeah.  The parameters were a big vague, in retrospect.  So to set some...

The corporation itself does not use GPG and thus is not signing any GPG
keys for their employees.  I'd be surprised if many corporations were
using GPG in preference to SSL (i.e. S/MIME).  To be honest, I'd imagine
"certificates" and "SSL PKI", etc., all bundled up into shrink-wrapped
software that runs on Windows servers, bought from companies that can be
sued, etc. just seems so much more "corporate"-friendly than GPG.

So that said, the corporate infrastructure (i.e. being satisfied enough
that Bob is Bob to hire him and put him on payroll and deduct and remit
income taxes to the government and provide benefits and insurance to,
etc.) would be nothing more than a proxy for meeting an individual and
seeing their "government issued" ID in order to be happy enough that Bob
is Bob for you to sign his key saying as much -- assuming you have a
secure channel to verify that the key you are signing is Bob's.

So to answer previous questions/suggestions, there is no corporate GPG
key to sign Bob's key for other GPG users (employees or otherwise) to
put trust into.

The corporation would not have a copy of the private key since the
corporation is completely uninvolved other than (unknowingly) being the
identity-checker and providing the means to authoritatively communicate
with Bob (i.e. when I "message" bob at corporate.domain I know it's Bob
that I am talking to -- somebody in IT doing a MITM attack aside -- but
maybe that's enough of a risk to make this infeasible).  You would have
the same trust that only Bob has Bob's secret key as you would any other
GPG user whose key you signed.  Any given GPG user's competency in using
GPG (i.e. keeping secret keys secret, trusting other, etc.) is up to
you, as it always is.

The misunderstanding that the corporation is somehow involved with keys
and signing I think was the biggest misunderstanding.  They are not.
They provide nothing more than asserting that Bob is Bob and providing a
means of ensuring that I am communicating with Bob when I think I am
communicating with Bob -- again, IT launching a MITM attack aside).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131016/6a445e0a/attachment-0001.sig>

More information about the Gnupg-users mailing list