If you worked in a corporate environment, would you trust the HR department there to have verified the identity of employees well enough to leverage that into signing a GPG key?
Let's say such an environment had an messaging system where employees had to authenticate with their corporate IT credentials in order to use the system. Would that, and the assertion by HR/IT that a message that I get from Bob really did come from the employee HR verified as Bob (i.e. when they hired him) be enough for you trust the key you get from Bob enough to sign it that it really is really Bob's? I guess what I am describing is a virtual key signing party where the verification of IDs is being done by the corporation instead of the individuals. Cheers, b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
