trust your corporation for keyowner identification?

Peter Lebbing peter at
Sat Oct 19 13:17:02 CEST 2013

On 18/10/13 22:26, Brian J. Murrell wrote:
> Right.  They key signing party relies on a means of communication that
> can be considered authenticated.  It could be e-mail (closed corporate
> e-mail system, not an "across the Internet e-mail) or it could be
> "credentials required" (again, closed, corproate) instant messaging for
> example.

I don't think I myself would consider that enough verification to sign a key.
Too many other communication components involved.

I was more thinking along the line of a Zimmerman-Sassaman protocol key signing
party where the HR person is present and every line on the list is done as follows:

Person on list: "Yes, entry 42 is indeed the fingerprint of my key"
HR person: "Yes, this person is indeed the person listed at entry 42"

This would be a considerable speedup for the ID verification stage, still
presuming that you trust HR to properly verify someone's identity.

I don't think this would still be a "virtual" keysigning party, though :).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list