Using root CAs as a trusted 3rd party

Hauke Laging mailinglisten at
Sun Jan 22 00:10:11 CET 2012

Am Samstag, 21. Januar 2012, 19:12:15 schrieb Aaron Toponce:
> I just signed an OpenPGP key with cert level 0x12 (casual checking) given
> the following scenario:
>     * A PGP key was signed by an SSL certificate that was signed by a root
>       CA
>     * I verified that the signature was indeed from that root CA.
>     * I striped the signature, and imported the PGP key.
>     * I then signed the key, exported, and sent back.
> What are your thoughts on using root CAs as a trusted 3rd party for
> trusting that a key is owned by whom it claims? Of course, this is merely
> for casual checking, but it seems to be "good enough".
> Thoughts?

IMHO that does not make sense. In the end you just certify that you trust the 
CA. Your certification makes a difference just to those who do not trust the 
root CA (or do not know this certification path because the key servers don't 
know it).

The clear solution would be that you certify the root CA's certificate.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120122/fff809a6/attachment.pgp>

More information about the Gnupg-users mailing list