Using root CAs as a trusted 3rd party
Aaron Toponce
aaron.toponce at gmail.com
Sun Jan 22 03:54:43 CET 2012
On Sat, Jan 21, 2012 at 10:50:11PM +0100, Gregor Zattler wrote:
> IMHO by signing a key you make a statement about the connection
> between a person or owner and the user id you sign, saying "I
> somehow convinced myself that user owns this key". This only
> makes sense if you have some insight into the matter that a
> person which is confronted with the key only cannot have. Your
> signature should add some information. Merely saying I'm
> convinced that the user is the owner/originator of the key
> because someone else already signed this key, does not make much
> sense to me. I think you should have added a notation explaining
> you reasoning.
I trust the encrypted connection between my browser and my bank, because
the certificate they present to by browser is signed by a root CA that is
installed in the browser. It seems possible to make a valid corollary with
OpenPGP keys. I trust a key belongs to a specific user, because that key is
presented to be to be owned by a specific person is signed by a root CA.
Esentially, I'm using a CA as a 3rd party to casually establish identity.
At this point, I can rest assured that the key this person claims is theirs
is actually theirs.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: </pipermail/attachments/20120121/3a61d45b/attachment.pgp>
More information about the Gnupg-users
mailing list