trust your corporation for keyowner identification?

Mark H. Wood mwood at IUPUI.Edu
Wed Oct 16 15:37:37 CEST 2013


On Wed, Oct 16, 2013 at 08:04:39AM -0400, Brian J. Murrell wrote:
> If you worked in a corporate environment, would you trust the HR
> department there to have verified the identity of employees well enough
> to leverage that into signing a GPG key?

Not without investigating their procedures.

> Let's say such an environment had an messaging system where employees
> had to authenticate with their corporate IT credentials in order to use
> the system.  Would that, and the assertion by HR/IT that a message that
> I get from Bob really did come from the employee HR verified as Bob
> (i.e. when they hired him) be enough for you trust the key you get from
> Bob enough to sign it that it really is really Bob's?
> 
> I guess what I am describing is a virtual key signing party where the
> verification of IDs is being done by the corporation instead of the
> individuals.

Then let the corporation (i.e. HR) do the signing and you decide
whether to trust HR's signatures.

Really this should be designed into the corporation rather than pasted
on.  The chief security officer should somehow determine what would be
satisfactory procedures for verifying identity for the purpose of
issuing such signatures and get it accepted as a requirement for HR.
Probably this will be designed in consultation with HR so that it will
actually be implemented properly and not be a constant source of
pushback.  The meaning of such signatures should be documented and
published internally, so that relying parties know what they are
getting and can decide for what and how far they are willing to rely
on them.  Part of the determination should be the purpose and scope of
such signatures.

One factor in the steady drizzle of corporate security failures is
the notion that one can buy a box of security off the shelf and
thereafter be secure, without thinking about what one is doing.  It
seems to me that designing secure processes for your specific needs
should work better and be cheaper in the end.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: </pipermail/attachments/20131016/ca921b4d/attachment.sig>


More information about the Gnupg-users mailing list