trust your corporation for keyowner identification?
Robert J. Hansen
rjh at sixdemonbag.org
Thu Oct 17 22:54:54 CEST 2013
> In my proposed scenario, the corporation is doing nothing more than
> providing a means for the participants to know that Bob is actually Bob
> because the company has checked his id and said he is and providing an
> authenticated means (again, IT being a black-hat aside) to communicate
> with Bob and verify fingerprints, etc.
Under this scenario, the entire thing is dangerously bogus.
When I sign a certificate, I am sending a message: "I am vouching for
the identity of X." Under your scenario, I'm no longer vouching for
the identity of X. I would instead be saying, "Someone else who is
not listed on this signature has vouched for the identity of X. I am
signing this without any direct personal knowledge of X's identity."
If you're vouching for X's identity, you need to take positive steps
to verify X's identity. If someone else is vouching for X's identity,
then let them sign X's certificate. Why should you get involved
without doing your own positive verification?
More information about the Gnupg-users