trust your corporation for keyowner identification?

Robert J. Hansen rjh at
Thu Oct 17 22:54:54 CEST 2013

> In my proposed scenario, the corporation is doing nothing more than
> providing a means for the participants to know that Bob is actually Bob
> because the company has checked his id and said he is and providing an
> authenticated means (again, IT being a black-hat aside) to communicate
> with Bob and verify fingerprints, etc.

Under this scenario, the entire thing is dangerously bogus.

When I sign a certificate, I am sending a message: "I am vouching for  
the identity of X."  Under your scenario, I'm no longer vouching for  
the identity of X.  I would instead be saying, "Someone else who is  
not listed on this signature has vouched for the identity of X.  I am  
signing this without any direct personal knowledge of X's identity."

If you're vouching for X's identity, you need to take positive steps  
to verify X's identity.  If someone else is vouching for X's identity,  
then let them sign X's certificate.  Why should you get involved  
without doing your own positive verification?

More information about the Gnupg-users mailing list