If you worked in a corporate environment, would you trust the HR
department there to have verified the identity of employees well enough
to leverage that into signing a GPG key?
This is the wrong question, really.
HR is pretty good about verifying identity documents. HR gets
specialized training in what proper identity documents look like and
HR typically has ways to check those documents with the government.
Even small firms do a lot of identity verification -- in the United
States you can't legally work without presenting your employer with a
passport (or, alternately, a driver's license and Social Security
card). Not even a McDonald's or a 7-11 will let you work there
without providing them with those documents.
But HR is probably really bad about understanding the nuances of the
Web of Trust, what it means to make a certification, whether a
certification should be made at all, what level of certification
should be made, and so forth. The limiting factor here is
technological skill, not document verification.
That said, I've worked for two companies that did this and did it
quite competently.
I haven't kept up with PGP since they got bought out by Symantec, but
I know that from at least '95 to '05 they would issue corporate
signatures to employee certificates, if the employee requested it.
They did this so that other users could be confident in who was really
an employee of PGP Security and who wasn't.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
