trust your corporation for keyowner identification?
Brian J. Murrell
brian at interlinx.bc.ca
Thu Oct 17 21:42:37 CEST 2013
On 13-10-17 09:07 AM, Johan Wevers wrote:
>
> Yes there is: the practical point of using those keys. Why would a HR
> department sign employees keys?
Look at my update to this thread yesterday. I already said in that
message that the HR department is NOT signing keys and that the
corporation in fact is not even involved with GPG in any way whatsoever.
> I assume to have the employee use it in
> encrypted communications with collegues / customers / whoever.
No. This has nothing to do with corporate key use. This is merely a
way for individuals, as individuals to enhance the certification of
their keys by having a "virtual keysigning party" within their company.
This is no different than going to your LUG and having a keysigning
party there. The LUG itself does not participate in any way (i.e.
signing keys, etc.) other than to provide a venue for the people to meet.
In my proposed scenario, the corporation is doing nothing more than
providing a means for the participants to know that Bob is actually Bob
because the company has checked his id and said he is and providing an
authenticated means (again, IT being a black-hat aside) to communicate
with Bob and verify fingerprints, etc.
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131017/6489c8ec/attachment-0001.sig>
More information about the Gnupg-users
mailing list