trust your corporation for keyowner identification?
Brian J. Murrell
brian at interlinx.bc.ca
Fri Oct 25 18:54:19 CEST 2013
On 13-10-22 04:57 PM, MFPA wrote:
> It appears you probably meant the communication with
> "bob at corporate.domain" was the out-of-band channel by which you and
> Bob told each other your OpenPGP key fingerprints, and that being able
> to send emails from those corporate accounts also doubled as identity
> verification (because only the individual knows the relevant
> credentials to send from "their" corporate email address, and the
> company is required to verify government-issued ID documents when
> engaging staff).
Indeed. You have it exactly. Sorry I was not more clear about these
details in the beginning.
> As for use of a corporate email address, could I be sure that Bob
> locked his computer every time he left his desk? Or that nobody else
> would ever have access to a written record of Bob's passwords? Or
> that, in Bob's absence, a substitute would never use Bob's email
> address when covering his work?
Indeed. Those are all things you'd have to take into account, just like
having to take into account the risk of IT being involved in a black-hat
role in all of this.
I have to admit that any/all of those possibilities make me wary of such
a scheme. I think I'd have to be able to "test" Bob on the other end of
the OOB comms channel to use such a scheme. That seems to imply some
level of familiarity with Bob, which might not be unreasonable
considering we might work together.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 555 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users