trust your corporation for keyowner identification?

MFPA expires2013 at
Tue Oct 22 22:57:17 CEST 2013

Hash: SHA512


On Thursday 17 October 2013 at 11:37:35 AM, in
<mid:l3oel7$7ur$1 at>, Brian J. Murrell wrote:

> On 13-10-16 05:28 PM, MFPA wrote:

>> If the key was generated, stored, or used on the
>> company's computer, all bets are off regarding Bob
>> being the only one with access to a copy.

> Why would it be?  There is no reason, with this
> verification scheme that anyone's private keys (or
> public keys for that matter) go anywhere near the
> company's computer.

> Cheers, b.

When you said you would be messaging "bob at corporate.domain" I
interpreted that in the context of a discussion about OpenPGP keys to
mean you were exchanging encrypted communications with that email
address. It appears you probably meant the communication with
"bob at corporate.domain" was the out-of-band channel by which you and
Bob told each other your OpenPGP key fingerprints, and that being able
to send emails from those corporate accounts also doubled as identity
verification (because only the individual knows the relevant
credentials to send from "their" corporate email address, and the
company is required to verify government-issued ID documents when
engaging staff).

The bit about the employer having to verify people's ID may lead me to
accept a corporate ID card as an alternative to government-issued ID.
As for use of a corporate email address, could I be sure that Bob
locked his computer every time he left his desk? Or that nobody else
would ever have access to a written record of Bob's passwords? Or
that, in Bob's absence, a substitute would never use Bob's email
address when covering his work?

- --
Best regards

MFPA                    mailto:expires2013 at

If at first you don't succeed, destroy all evidence that you tried.


More information about the Gnupg-users mailing list