> However, i see *no* legitimate need for any employer to be able to
> forge data signatures or identity certifications from your
> work-related key. escrow only make sense for encryption-capable
> keys in limited contexts.
Imagine this: you're a purchasing agent at Yoyodyne. You've established
WoT connections with all your providers using a certificate whose only
UID is:
"Daniel Kahn Gillmor (sales orders only) <d...@yoyodyne.com>"
Now you go out on vacation for three weeks and on day four a sudden
business need arises in which a sales order must be filed.
Seems perfectly reasonable for me for the company to issue a signature
on a purchase order using your *corporate-owned*, *corporate-controlled*
certificate, which was always issued for the needs of the corporation.
Just because a certificate has your name on it doesn't make it yours and
doesn't mean you have a legal or moral right to control how it's used.
Personally, I would prefer not to have my name on such a certificate,
for reasons that have already been expressed on the list. But if
there's a corporate policy that says each cert must have the name of
someone authorized to use it, then that's the way you play the game.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
