Robot CA at toehold.com
Michael Nahrath
gnupg-users@nahrath.de
Sun Dec 8 20:27:06 2002
Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch> schrieb am
2002-12-08 18:37 Uhr:
>> Signing a CA means that you have checked that the CA's key really belongs to
>> the organisation that runs the CA service.
>>
>> I guess you did this with key 0xB3B2A12C
>> The CA is driven by a computer magazine and they print this key's
>> fingerprint to each edition, so you can verify it (meaning: "this key really
>> belongs to this company").
>>
>> So you had occation to verify the key belongs to its (non human) owner by a
>> second chanel than the internet (paper).
>
> Yes, in the end it's also something about identity. But when I don't
> trust a CA, regardless of whether I verified their key or not, I don't
> want them in my web of trust, so I'll never even consider signing them.
Indeed there is a trust component on signing. You need trust in the
constitution of this organisation, mainly the trust that they keep to their
policy and will in the future. So reputation and trust is cruical for
accepting a CA organisation as a "legal person".
Imagine 'Heise' would be taken over by another publishing house that doesn't
guarantee the policy of the 'Krypto-Kampagne'.
Would the current Heise employees hand out the full data of the cert-key?
I trust they wouldn't. That is the base that made me sign their key.
I trust that if the organisation would end to exist in the current form the
key would as well.
Greeting, Michi