Robot CA at toehold.com
Adrian 'Dagurashibanipal' von Bidder
avbidder@fortytwo.ch
Sun Dec 8 18:36:02 2002
--=-oL99zE4CuQVzRBNAtbcF
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Sun, 2002-12-08 at 17:48, Michael Nahrath wrote:
> Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch> schrieb am
> 2002-12-08 16:07 Uhr:
> > Hmmm. Collecting signatures on a key is collecting trust. Personally, I
> > do sign keys of CAs I trust (with a policy URL with a statement how muc=
h
> > I trust them).=20
>=20
> Signing doesn't express anything about trust. It is about identity.
>=20
> Signing a CA means that you have checked that the CA's key really belongs=
to
> the organisation that runs the CA service.
>=20
> I guess you did this with key 0xB3B2A12C
> The CA is driven by a computer magazine and they print this key's
> fingerprint to each edition, so you can verify it (meaning: "this key rea=
lly
> belongs to this company").
>=20
> So you had occation to verify the key belongs to its (non human) owner by=
a
> second chanel than the internet (paper).
Yes, in the end it's also something about identity. But when I don't
trust a CA, regardless of whether I verified their key or not, I don't
want them in my web of trust, so I'll never even consider signing them.
For personal keys things are different - keys are signed just for
identification purposes. But I feel that for a CAs key it tells
something about who would consider using a CAs key to build a trust
path.
cheers
-- vbi
--=20
this email is protected by a digital signature: http://fortytwo.ch/gpg
NOTE: keyserver bugs! get my key here: https://fortytwo.ch/gpg/92082481
--=-oL99zE4CuQVzRBNAtbcF
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iHMEABECADMFAj3zg00sGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjIACgkQi6Qxi+Wn99YJtwCgt/mvQaPXroqDg4T2K83m5pp6gNYA
oIwPWshOncfGoJvIPwSrVh1ZSdUi
=ynOo
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822
--=-oL99zE4CuQVzRBNAtbcF--