On 13-10-22 04:57 PM, MFPA wrote: > Hi Hi,
> It appears you probably meant the communication with > "bob@corporate.domain" was the out-of-band channel by which you and > Bob told each other your OpenPGP key fingerprints, and that being able > to send emails from those corporate accounts also doubled as identity > verification (because only the individual knows the relevant > credentials to send from "their" corporate email address, and the > company is required to verify government-issued ID documents when > engaging staff). Indeed. You have it exactly. Sorry I was not more clear about these details in the beginning. > As for use of a corporate email address, could I be sure that Bob > locked his computer every time he left his desk? Or that nobody else > would ever have access to a written record of Bob's passwords? Or > that, in Bob's absence, a substitute would never use Bob's email > address when covering his work? Indeed. Those are all things you'd have to take into account, just like having to take into account the risk of IT being involved in a black-hat role in all of this. I have to admit that any/all of those possibilities make me wary of such a scheme. I think I'd have to be able to "test" Bob on the other end of the OOB comms channel to use such a scheme. That seems to imply some level of familiarity with Bob, which might not be unreasonable considering we might work together. Cheers, b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
