Using root CAs as a trusted 3rd party

Aaron Toponce aaron.toponce at
Sun Jan 22 03:54:43 CET 2012

On Sat, Jan 21, 2012 at 10:50:11PM +0100, Gregor Zattler wrote:
> IMHO by signing a key you make a statement about the connection
> between a person or owner and the user id you sign, saying "I
> somehow convinced myself that user owns this key".  This only
> makes sense if you have some insight into the matter that a
> person which is confronted with the key only cannot have.  Your
> signature should add some information.  Merely saying I'm
> convinced that the user is the owner/originator of the key
> because someone else already signed this key, does not make much
> sense to me.  I think you should have added a notation explaining
> you reasoning.

I trust the encrypted connection between my browser and my bank, because
the certificate they present to by browser is signed by a root CA that is
installed in the browser. It seems possible to make a valid corollary with
OpenPGP keys. I trust a key belongs to a specific user, because that key is
presented to be to be owned by a specific person is signed by a root CA.

Esentially, I'm using a CA as a 3rd party to casually establish identity.
At this point, I can rest assured that the key this person claims is theirs
is actually theirs.

. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: </pipermail/attachments/20120121/3a61d45b/attachment.pgp>

More information about the Gnupg-users mailing list