On Wed, Oct 16, 2013 at 2:04 PM, Brian J. Murrell <br...@interlinx.bc.ca> wrote: > If you worked in a corporate environment, would you trust the HR > department there to have verified the identity of employees well enough > to leverage that into signing a GPG key?
In general, I'd be fine with that. Corporations generally need a fairly large amount of information about their employees (e.g. for tax purposes) and so should be able to verify the identity of employees with a high degree of confidence. > Let's say such an environment had an messaging system where employees > had to authenticate with their corporate IT credentials in order to use > the system. Would that, and the assertion by HR/IT that a message that > I get from Bob really did come from the employee HR verified as Bob > (i.e. when they hired him) be enough for you trust the key you get from > Bob enough to sign it that it really is really Bob's? > > I guess what I am describing is a virtual key signing party where the > verification of IDs is being done by the corporation instead of the > individuals. In my specific case, I only publicly sign (as opposed to locally sign) keys when I have (a) personally met a person and verified their ID and key fingerprint/details or (b) a person is well-known to me (e.g. a family member, long time friend, etc.) and they provide me their key fingerprint and communicate in a way that I can verify who they are (e.g. I call them on the phone, recognize their voice, and they read me their key fingerprint). I would be reasonably sure that a key signed by an HR department actually belongs to the named person, but I wouldn't publicly assert that by signing their key. Your mileage may vary. :) Cheers! -Pete _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
