trust your corporation for keyowner identification?

Tue Oct 22 17:01:28 CEST 2013

"Robert J. Hansen" <rjh at sixdemonbag.org> wrote:

> > In my proposed scenario, the corporation is doing nothing more than
> > providing a means for the participants to know that Bob is actually Bob
> > because the company has checked his id and said he is and providing an
> > authenticated means (again, IT being a black-hat aside) to communicate
> > with Bob and verify fingerprints, etc.
>
> Under this scenario, the entire thing is dangerously bogus.
>
> When I sign a certificate, I am sending a message: "I am vouching for  
> the identity of X."  Under your scenario, I'm no longer vouching for  
> the identity of X.  I would instead be saying, "Someone else who is  
> not listed on this signature has vouched for the identity of X.  I am  
> signing this without any direct personal knowledge of X's identity."
>
> If you're vouching for X's identity, you need to take positive steps  
> to verify X's identity.  If someone else is vouching for X's identity,  
> then let them sign X's certificate.  Why should you get involved  
> without doing your own positive verification?

I somewhat disagree.

I think we deal with two separate problems here: 1. identification of a
person, and 2. certification of the key.  The latter is about the person
claiming use of the key, i.e. you vouch that the person told you "This
is my key".  Making a certification is *not* a confirmation of an identity.

At key-signing parties you "identify" a person by looking into his
documents.  But this is not a real identification - almost none of us
has means to confirm an identity, which is a job for a detective.
By looking into someone's documents we only check the person has
a title to use a particular name (i.e. is known by this name to others).
(The person remains as anonymous as he was before showing his ID.)

So my conclusion with regard to the OP's question is that an
identification performed by a corporation is good enough to believe
that X is X.  However, a certification signature by a corporation on
X's key (which by itself does not state anything about X's identity)
is not enough to know X claims that key - you have to hear it from
X himself (in order to leave your certificate).

Stan T.

P.S.1 I've presented my position as a set of assertions, but I don't mean
      to stand entirely by their correctness;  I humbly await comments.
P.S.2 Sorry to be a late-comer to the discussion - initially I had some
      difficulty to formulate the problem; this is my second writing.