Robot CA at

Adrian 'Dagurashibanipal' von Bidder
Sun Dec 8 18:36:02 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2002-12-08 at 17:48, Michael Nahrath wrote:
> Adrian 'Dagurashibanipal' von Bidder <> schrieb am
> 2002-12-08 16:07 Uhr:

> > Hmmm. Collecting signatures on a key is collecting trust. Personally, I
> > do sign keys of CAs I trust (with a policy URL with a statement how muc=
> > I trust them).=20
> Signing doesn't express anything about trust. It is about identity.
> Signing a CA means that you have checked that the CA's key really belongs=
> the organisation that runs the CA service.
> I guess you did this with key 0xB3B2A12C
> The CA is driven by a computer magazine and they print this key's
> fingerprint to each edition, so you can verify it (meaning: "this key rea=
> belongs to this company").
> So you had occation to verify the key belongs to its (non human) owner by=
> second chanel than the internet (paper).

Yes, in the end it's also something about identity. But when I don't
trust a CA, regardless of whether I verified their key or not, I don't
want them in my web of trust, so I'll never even consider signing them.

For personal keys things are different - keys are signed just for
identification purposes. But I feel that for a CAs key it tells
something about who would consider using a CAs key to build a trust

-- vbi

this email is protected by a digital signature:

NOTE: keyserver bugs! get my key here:

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.1 (GNU/Linux)

Signature policy: