AW: gpg certificate authorities

JanuszA.Urbanowicz JanuszA.Urbanowicz
Mon Feb 18 17:09:02 2002


Huels, Ralf SCORE wrote/napisa=B3[a]/schrieb:
> > The problem is more social than technical - to have working CAs, they m=
ust
> > be CAs that most people in the web of trust trust.=20
>=20
> Also, some people argue that X.509 is more interesting for commercial tru=
st=20
> centers than OpenPGP because the hierarchical PKI calls for a central tru=
st=20
> authority in a way the web of trust approach does not.

The CA trust is simply hardcoded into X509-aware apps. There is nothing that
prevents a subset of OpenPGP users to use a modified GnuPG that has hadcoded
trust for some key. It would give the same outcome. The only difference is
that absolute truth for some key is a requirement for X509 PKI while it is
note for OpenPGP.

OpenPGP for example allows such a situation: I am a Thawte WOT notary so I
trust their signing key. I set this key to have high (or even ultimate
trust). Other people who also trust the key may set this similarly. But
there's no way to enforce the setting. This is IMO the main disadvantage of
OpenPGP - that it requires user activity and dedication to function
properly.

Alex
--=20
C _-=3D-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling |         | =
  *  =09
 ; (_O : +-------------------------------------------------------------+ --=
+~|=09
 ! &~) ? | P=B3yn=B1=E6 chc=EA na Wsch=F3d, za Suez, gdzie jest dobrem ka=
=BFde z=B3o | l_|/=09
A ~-=3D-~ O| Gdzie przykaza=F1 brak dziesi=EAciu, a pi=E6 mo=BFna a=BF po d=
no;     |   |  =20