AW: gpg certificate authorities

David Shaw
Mon Feb 18 18:18:02 2002

On Mon, Feb 18, 2002 at 05:00:24PM +0100, Janusz A. Urbanowicz wrote:
> Huels, Ralf SCORE wrote/napisa?[a]/schrieb:
> > > The problem is more social than technical - to have working CAs,
> > > they must be CAs that most people in the web of trust trust.
> > 
> > Also, some people argue that X.509 is more interesting for
> > commercial trust centers than OpenPGP because the hierarchical PKI
> > calls for a central trust authority in a way the web of trust
> > approach does not.
> The CA trust is simply hardcoded into X509-aware apps. There is nothing that
> prevents a subset of OpenPGP users to use a modified GnuPG that has hadcoded
> trust for some key. It would give the same outcome. The only difference is
> that absolute truth for some key is a requirement for X509 PKI while it is
> note for OpenPGP.
> OpenPGP for example allows such a situation: I am a Thawte WOT notary so I
> trust their signing key. I set this key to have high (or even ultimate
> trust). Other people who also trust the key may set this similarly. But
> there's no way to enforce the setting. This is IMO the main disadvantage of
> OpenPGP - that it requires user activity and dedication to function
> properly.

Yes, but at the same time, this is also one of the main advantages to
OpenPGP - that it does not require the user to trust a CA to function
properly ;)


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson