This is not the first time I've been challenged to provide a company letterhead as a form of authentication by a large, reasonably sophisticated company. How is this still considered quality best practice?
Legal auth is simply making sure they can sue you, and/or get you sent to prison if you circumvent their system.
Also, there isn't a standard way to identify a company and to validate its actions. A slightly better one (at least where Latin notaries exist) is that the company secretariat make a declaration of whatever and include a certified copy of the company registration that certifies that the said person is the secretary of the company, but you end up with the ID problem except that it's for companies. Maybe a standard "passport" identifying companies? Did I re-invent parts of apostille? (https://en.wikipedia.org/wiki/Apostille_Convention)
It reminds me of how lawyers are happy to accept signatures by fax. You could be a rather lousy forger, yet because of the huge and extremely black pixels, still make a passable forged signature over fax. You can even tape a real signature on the page, or make numerous corrections, because the resolution simply cannot show any of those details. There is not much one would consider reliable about a faxed document.
The purpose of a lot of these sorts of requirements is not authentication. It's ensuring that if you do do it, you trigger the statutory requirement for some particular criminal offense. For example, a jurisdiction might have a crime of forgery which is substantially easier to prosecute than fraud (perhaps fraud would need the prosecution to prove intent to make financial gain, wheras forgery might be satisfied as soon as you can prove signature was forged -- hypothetical example, it will vary by jurisdiction and IANAL).
These sort of statues might have been written before computers or even faxes, and there might be caselaw to the effect that forging someone's signature and sending it by fax does satisfy its requirements of the offence, but none yet for just writing your name at the bottom of an email; things like that.
Anyway, this is about shifting liability with minimal effort. As such, I'd consider it best practice. Of course, I'm using that term in a different way than you, but you just need to appreciate the goal here. It's not at all about "authenticating" you as a heretofore unknown, authorized member of the org -- that's extremely difficult, even at small scale.
But I suspect this has a lot more to do with proving that you are explicitly representing yourself to them as a member of the organization; not proving that you actually are part of the organization.
Plenty of "open source projects" are nothing more than some informal group working together. It's not like they are registered with the government.
and we have a central organisation called PRADO with information on how to verify any EU country's passport. https://www.consilium.europa.eu/prado/en/prado-start-page.ht...
Granted that's not to say people will actually verify passports using the data, but it is there compared to a letterhead being effectively just a random doc template.
That seems more secure than physical signatures and letter heads, that can presumably be easily forged.
But Keybase seems not developed anymore. Does anyone know what’s the situation?
But don't take my word for it. Read what Adam Smith had to say about it first in the Wealth of Nations. https://www.ibiblio.org/ml/libri/s/SmithA_WealthNations_p.pd...
