trust your corporation for keyowner identification?

Brian J. Murrell brian at interlinx.bc.ca
Fri Oct 18 22:26:43 CEST 2013 

On 13-10-18 05:59 AM, Peter Lebbing wrote:
> 
> However, here an interesting dichotomy surfaces: the scenario the OP painted was
> that the HR person or notary did not use OpenPGP or key signatures, but that you
> still rely on the identity verification done by the HR person.

That's correct.

> This would thus
> constitute identity verification outside the Web of Trust,

Indeed!  I completely agree with your prior opposition to people signing
keys just because somebody they trust signed one and how trust
relationships work to avoid the need to do that.

> and I suppose I would
> find that acceptable.

I'm still not convinced, but that is why I brought it up for discussion.
 :-)

> Although I'm a bit unclear on how this "virtual keysigning
> party" would in practice be held: how does the notary state he trusts the
> identity? Where does the fingerprint of the key come in to play? You are
> asserting that a certain person holds a certain key, the key has to be part of
> the verification. But the notary wasn't using OpenPGP.

Right.  They key signing party relies on a means of communication that
can be considered authenticated.  It could be e-mail (closed corporate
e-mail system, not an "across the Internet e-mail) or it could be
"credentials required" (again, closed, corproate) instant messaging for
example.

So that is, account compromise aside, you know that when Bob sends you
an e-mail or an instant message, it did come from Bob because only Bob
knows the credentials to be able to send messages in the messaging
system from his account.

Indeed, corporate messaging account compromise, or IT black-hats are a
risk here.  I guess it would be up to the individuals to assess the risk
of such a thing just like one has to asses the risk that the ID that one
is verifying at a traditional key-signing party is fraudulent or not.

> The dichotomy is thus: if the notary does not sign keys, I would be okay with
> people signing keys based on the notary's verification efforts. But if that same
> notary did everything he or she did before *and* did something extra, namely
> signing keys, suddenly I'm not okay with people signing keys based on the
> notary's verification efforts. That's odd.

It is odd.  But I understand it.

> But the dichotomy doesn't change my position on this. Perhaps a clear answer to
> how the key fingerprint comes into play would take away the oddity, because
> perhaps then suddenly there /is/ a verification effort by the people signing the
> key: that the key belongs to the owner. That the owner is who they say they are,
> is then left to the notary.

Interesting perspectives, indeed.

Cheers,
b.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131018/5a0bae2c/attachment.sig>

More information about the Gnupg-users mailing list