In my proposed scenario, the corporation is doing nothing more than
providing a means for the participants to know that Bob is actually Bob
because the company has checked his id and said he is and providing an
authenticated means (again, IT being a black-hat aside) to communicate
with Bob and verify fingerprints, etc.
Under this scenario, the entire thing is dangerously bogus.
When I sign a certificate, I am sending a message: "I am vouching for
the identity of X." Under your scenario, I'm no longer vouching for
the identity of X. I would instead be saying, "Someone else who is
not listed on this signature has vouched for the identity of X. I am
signing this without any direct personal knowledge of X's identity."
If you're vouching for X's identity, you need to take positive steps
to verify X's identity. If someone else is vouching for X's identity,
then let them sign X's certificate. Why should you get involved
without doing your own positive verification?
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
