trust your corporation for keyowner identification?

[Werewolf]

On Thu, Oct 17, 2013 at 01:54:54PM -0700, Robert J. Hansen wrote:
> >In my proposed scenario, the corporation is doing nothing more than
> >providing a means for the participants to know that Bob is actually Bob
> >because the company has checked his id and said he is and providing an
> >authenticated means (again, IT being a black-hat aside) to communicate
> >with Bob and verify fingerprints, etc.
> 
> Under this scenario, the entire thing is dangerously bogus.
> 
> When I sign a certificate, I am sending a message: "I am vouching
> for the identity of X."  Under your scenario, I'm no longer vouching
> for the identity of X.  I would instead be saying, "Someone else who
> is not listed on this signature has vouched for the identity of X.
> I am signing this without any direct personal knowledge of X's
> identity."
> 
> If you're vouching for X's identity, you need to take positive steps
> to verify X's identity.  If someone else is vouching for X's
> identity, then let them sign X's certificate.  Why should you get
> involved without doing your own positive verification?

Now what if the Company/HR department had a Notary public, for their documents, and this same Notary had a gpg key he/she treated same his/her stamp equipment, and used the same standards before signing a gpgkey?

Wolf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: Digital signature
URL: </pipermail/attachments/20131018/78cdbac8/attachment.sig>