trust your corporation for keyowner identification?
Peter Lebbing
peter at digitalbrains.com
Sat Oct 19 13:17:02 CEST 2013
On 18/10/13 22:26, Brian J. Murrell wrote:
> Right. They key signing party relies on a means of communication that
> can be considered authenticated. It could be e-mail (closed corporate
> e-mail system, not an "across the Internet e-mail) or it could be
> "credentials required" (again, closed, corproate) instant messaging for
> example.
I don't think I myself would consider that enough verification to sign a key.
Too many other communication components involved.
I was more thinking along the line of a Zimmerman-Sassaman protocol key signing
party where the HR person is present and every line on the list is done as follows:
Person on list: "Yes, entry 42 is indeed the fingerprint of my key"
HR person: "Yes, this person is indeed the person listed at entry 42"
This would be a considerable speedup for the ID verification stage, still
presuming that you trust HR to properly verify someone's identity.
I don't think this would still be a "virtual" keysigning party, though :).
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list