Using Root CAs as a Trusted 3rd Party
Kara
karadenizi at gmail.com
Mon Jan 23 11:53:20 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====
Reference:
Subject: Re: Using root CAs as a trusted 3rd party
Date: Sat, 21 Jan 2012 13:49:20 -0800
From: Ken Hagler <khagler at orange-road.com>
To: Aaron Toponce <aaron.toponce at gmail.com>
CC: gnupg-users at gnupg.org
> On Jan 21, 2012, at 10:12 AM, Aaron Toponce wrote:
>
>> What are your thoughts on using root CAs as a trusted 3rd party
>> for trusting that a key is owned by whom it claims? Of course,
>> this is merely for casual checking, but it seems to be "good
>> enough".
>
> As far as I can see the only checking CAs do before issuing a
> certificate is "does the credit card clear."
I believe you'll find that CAcert (www.cacert.org) is an exception *if*
you are relying on one of their x.509 certificates that includes the
individual's name since all CAcert certificates are free *and*
If the CAcert certificate includes the owner's name -- and if you're
willing to accept that CAcert assurance policies have been followed,
you can be confident that
a. The owner of the certificate has had a face-to-face
meeting with two or more CAcert assurers who
have examined (and accepted as valid) Government
issued photoID documentation provided by that
individual. Based on their assurance experience and
their belief that the documents they have reviewed
are valid, assurers can grant from 1 to 35 assurance
points per individual. An individual must have at
least 50 such points on their CAcert account to be
considered "trusted" by CAcert.
b. If an individual's name is included in their CAcert
x.509 certificate *and* if that individual is also listed
by location in CAcert's public list of assurers, you
can be confident that the individual has had a face-
to-face meeting with three or more CAcert
assurers who have examined provided Government-
issued photoID documentation and accepted them as
valid as noted in subpara "a" above and that the
individual has at least 100 assurance points on their
CAcert account and has met all other CAcert assurer
requirements.
c. Currently many operating systems do not automatically
include the CAcert root certificates (for details see
http://wiki.cacert.org/InclusionStatus) but they can be
easily obtained from http://www.cacert.org/index.php?id=3
and manually added to your list of root certificates.
====
Just as a matter of information regarding members of the Gossamer
Spider Web of Trust (GSWoT) <www.gswot.org>: Among other requirements
a GSIntroducer (GSI) must meet is that they are either:
d.. A CAcert assurer, or
e. Have an x.509 CAcert certificate that includes their
name (indicating they've met with at least two
CAcert assurers -- see subpara "a" above) *and have*
*also* had a face-to-face meeting with at least one GSI
who has examined and accepted as valid the Government-
issued photoID documentation they've provided, and has
trust signed their PGP/GPG key with their GSI key or keys,
or
f. Had a face-to-face meeting with three GSIs who have
examined and accepted as valid the Government-
issued photoID documentation they've provided, and
has trust signed their PGP/GPG key with their GSI
key or keys.
Only then -- again assuming all other GSWoT policy requirements have been
met and that it's been validated that they control the email addresses
associated with each of their key's userIDs -- are their PGP/GPG key
or keys userIDs GPG "sig!2 1" trust signed by the 8875BF7F GSWoT
"Signing Authority" key validating they are GSIs.
====
Ciao
Kara
Timestamp: Mon, 23 Jan 2012, 0553 Local (UTC -0500)
====
.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: For keyID and its URL see the OpenPGP message header
iEYEAREIAAYFAk8dPBcACgkQ15k+1L3RO5DfvgCePIFKfynHCmEdGvlbhhWTg/ka
QYkAnR+z3BzJSeSiY8SXA/aJ9bvwLmiX
=kOMi
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list