trust your corporation for keyowner identification?

Brian J. Murrell brian at
Thu Oct 17 21:42:37 CEST 2013

On 13-10-17 09:07 AM, Johan Wevers wrote:
> Yes there is: the practical point of using those keys. Why would a HR
> department sign employees keys?

Look at my update to this thread yesterday.  I already said in that
message that the HR department is NOT signing keys and that the
corporation in fact is not even involved with GPG in any way whatsoever.

> I assume to have the employee use it in
> encrypted communications with collegues / customers / whoever.

No.  This has nothing to do with corporate key use.  This is merely a
way for individuals, as individuals to enhance the certification of
their keys by having a "virtual keysigning party" within their company.
 This is no different than going to your LUG and having a keysigning
party there.  The LUG itself does not participate in any way (i.e.
signing keys, etc.) other than to provide a venue for the people to meet.

In my proposed scenario, the corporation is doing nothing more than
providing a means for the participants to know that Bob is actually Bob
because the company has checked his id and said he is and providing an
authenticated means (again, IT being a black-hat aside) to communicate
with Bob and verify fingerprints, etc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131017/6489c8ec/attachment-0001.sig>

More information about the Gnupg-users mailing list