Using root CAs as a trusted 3rd party

Aaron Toponce aaron.toponce at
Sun Jan 22 03:49:42 CET 2012

On Sat, Jan 21, 2012 at 02:47:25PM -0500, Thomas Harning Jr. wrote:
> That process seems pretty reasonable, assuming the CA is reputable. Even
> better if you keep track of the SSL cert to keep track of breaches and the
> like.

The idea is only to casually trust that a key belongs to a person. If the
key is signed by a root CA certificate, then the person has established a
relationship of trust between themselves and the CA. So, if the PGP key is
signed by that cert, it seems to follow that the key is indeed owned by the
person who claims to own it.

> It seems akin to the PayPal 3rd party auth, just a different source.

Yes. That's all I'm after. I think the militant "I _absolutely_ won't sign
any keys unless I verify their identification, face-to-face" attitude is
hindering adoption. There must be a way to build the WOT, while still
allowing people to sign keys without meeting. Thus, the reasons for 0x10,
0x11, 0x12 and 0x13 in GnuPG for identifying how carefully you've verified
the owner of a key.

I'm looking for ways to build the WOT, without hindering adoption, by
taking advantage of various means to establish trust of key ownership. This
seems to be a method, I just want to make sure I have all my i's jotted and
my t's crossed.

. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: </pipermail/attachments/20120121/248fb3e4/attachment.pgp>

More information about the Gnupg-users mailing list