trust your corporation for keyowner identification?

Brian J. Murrell brian at
Fri Oct 25 18:54:19 CEST 2013

On 13-10-22 04:57 PM, MFPA wrote:
> Hi


> It appears you probably meant the communication with
> "bob at corporate.domain" was the out-of-band channel by which you and
> Bob told each other your OpenPGP key fingerprints, and that being able
> to send emails from those corporate accounts also doubled as identity
> verification (because only the individual knows the relevant
> credentials to send from "their" corporate email address, and the
> company is required to verify government-issued ID documents when
> engaging staff).

Indeed.  You have it exactly.  Sorry I was not more clear about these
details in the beginning.

> As for use of a corporate email address, could I be sure that Bob
> locked his computer every time he left his desk? Or that nobody else
> would ever have access to a written record of Bob's passwords? Or
> that, in Bob's absence, a substitute would never use Bob's email
> address when covering his work?

Indeed.  Those are all things you'd have to take into account, just like
having to take into account the risk of IT being involved in a black-hat
role in all of this.

I have to admit that any/all of those possibilities make me wary of such
a scheme.  I think I'd have to be able to "test" Bob on the other end of
the OOB comms channel to use such a scheme.  That seems to imply some
level of familiarity with Bob, which might not be unreasonable
considering we might work together.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131025/90920505/attachment.sig>

More information about the Gnupg-users mailing list