Using root CAs as a trusted 3rd party

Thomas Harning Jr. harningt at
Sat Jan 21 20:47:25 CET 2012

On Jan 21, 2012 1:13 PM, "Aaron Toponce" <aaron.toponce at> wrote:
> I just signed an OpenPGP key with cert level 0x12 (casual checking) given
> the following scenario:
>    * A PGP key was signed by an SSL certificate that was signed by a root
>      CA
>    * I verified that the signature was indeed from that root CA.
>    * I striped the signature, and imported the PGP key.
>    * I then signed the key, exported, and sent back.
> What are your thoughts on using root CAs as a trusted 3rd party for
> trusting that a key is owned by whom it claims? Of course, this is merely
> for casual checking, but it seems to be "good enough".

That process seems pretty reasonable, assuming the CA is reputable. Even
better if you keep track of the SSL cert to keep track of breaches and the
It seems akin to the PayPal 3rd party auth, just a different source.
I may add this idea to my key signing policy... perhaps adding a flag in
the policy URL like the version flag I have.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120121/a3e3f39e/attachment-0001.htm>

More information about the Gnupg-users mailing list