Using root CAs as a trusted 3rd party

Gregor Zattler telegraph at
Sat Jan 21 22:50:11 CET 2012

Hi Aaron, gnupg users,
* Aaron Toponce <aaron.toponce at> [21. Jan. 2012]:
> I just signed an OpenPGP key with cert level 0x12 (casual checking) given
> the following scenario:
>     * A PGP key was signed by an SSL certificate that was signed by a root
>       CA
>     * I verified that the signature was indeed from that root CA.
>     * I striped the signature, and imported the PGP key.
>     * I then signed the key, exported, and sent back.
> What are your thoughts on using root CAs as a trusted 3rd party for
> trusting that a key is owned by whom it claims? Of course, this is merely
> for casual checking, but it seems to be "good enough".

IMHO by signing a key you make a statement about the connection
between a person or owner and the user id you sign, saying "I
somehow convinced myself that user owns this key".  This only
makes sense if you have some insight into the matter that a
person which is confronted with the key only cannot have.  Your
signature should add some information.  Merely saying I'm
convinced that the user is the owner/originator of the key
because someone else already signed this key, does not make much
sense to me.  I think you should have added a notation explaining
you reasoning.

Ciao, Gregor
 -... --- .-. . -.. ..--.. ...-.-
[1]  Especially since there have been several comprises of CAs in
     the past.

More information about the Gnupg-users mailing list