Robot CA at toehold.com
Adrian 'Dagurashibanipal' von Bidder
Sun Dec 8 18:36:02 2002
On Sun, 2002-12-08 at 17:48, Michael Nahrath wrote:
> Adrian 'Dagurashibanipal' von Bidder <firstname.lastname@example.org> schrieb am
> 2002-12-08 16:07 Uhr:
> > Hmmm. Collecting signatures on a key is collecting trust. Personally, I
> > do sign keys of CAs I trust (with a policy URL with a statement how muc=
> > I trust them).=20
> Signing doesn't express anything about trust. It is about identity.
> Signing a CA means that you have checked that the CA's key really belongs=
> the organisation that runs the CA service.
> I guess you did this with key 0xB3B2A12C
> The CA is driven by a computer magazine and they print this key's
> fingerprint to each edition, so you can verify it (meaning: "this key rea=
> belongs to this company").
> So you had occation to verify the key belongs to its (non human) owner by=
> second chanel than the internet (paper).
Yes, in the end it's also something about identity. But when I don't
trust a CA, regardless of whether I verified their key or not, I don't
want them in my web of trust, so I'll never even consider signing them.
For personal keys things are different - keys are signed just for
identification purposes. But I feel that for a CAs key it tells
something about who would consider using a CAs key to build a trust
this email is protected by a digital signature: http://fortytwo.ch/gpg
NOTE: keyserver bugs! get my key here: https://fortytwo.ch/gpg/92082481
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822