On Thu, Oct 17, 2013 at 01:54:54PM -0700, Robert J. Hansen wrote: > >In my proposed scenario, the corporation is doing nothing more than > >providing a means for the participants to know that Bob is actually Bob > >because the company has checked his id and said he is and providing an > >authenticated means (again, IT being a black-hat aside) to communicate > >with Bob and verify fingerprints, etc. > > Under this scenario, the entire thing is dangerously bogus. > > When I sign a certificate, I am sending a message: "I am vouching > for the identity of X." Under your scenario, I'm no longer vouching > for the identity of X. I would instead be saying, "Someone else who > is not listed on this signature has vouched for the identity of X. > I am signing this without any direct personal knowledge of X's > identity." > > If you're vouching for X's identity, you need to take positive steps > to verify X's identity. If someone else is vouching for X's > identity, then let them sign X's certificate. Why should you get > involved without doing your own positive verification?
Now what if the Company/HR department had a Notary public, for their documents, and this same Notary had a gpg key he/she treated same his/her stamp equipment, and used the same standards before signing a gpgkey? Wolf
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
