trust your corporation for keyowner identification?

Peter Lebbing peter at
Fri Oct 18 11:59:15 CEST 2013

On 18/10/13 11:37, Peter Lebbing wrote:
> The moral: I think it is a really bad idea to sign keys because you trust
> already made signatures. That's what your trust database is for, use that. You
> should sign keys because you verified the identity *outside* the Web of Trust.

However, here an interesting dichotomy surfaces: the scenario the OP painted was
that the HR person or notary did not use OpenPGP or key signatures, but that you
still rely on the identity verification done by the HR person. This would thus
constitute identity verification outside the Web of Trust, and I suppose I would
find that acceptable. Although I'm a bit unclear on how this "virtual keysigning
party" would in practice be held: how does the notary state he trusts the
identity? Where does the fingerprint of the key come in to play? You are
asserting that a certain person holds a certain key, the key has to be part of
the verification. But the notary wasn't using OpenPGP.

The dichotomy is thus: if the notary does not sign keys, I would be okay with
people signing keys based on the notary's verification efforts. But if that same
notary did everything he or she did before *and* did something extra, namely
signing keys, suddenly I'm not okay with people signing keys based on the
notary's verification efforts. That's odd.

But the dichotomy doesn't change my position on this. Perhaps a clear answer to
how the key fingerprint comes into play would take away the oddity, because
perhaps then suddenly there /is/ a verification effort by the people signing the
key: that the key belongs to the owner. That the owner is who they say they are,
is then left to the notary.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list