Using root CAs as a trusted 3rd party

Mark H. Wood mwood at IUPUI.Edu
Mon Jan 23 15:24:03 CET 2012

On Sat, Jan 21, 2012 at 01:49:20PM -0800, Ken Hagler wrote:
> On Jan 21, 2012, at 10:12 AM, Aaron Toponce wrote:
> > What are your thoughts on using root CAs as a trusted 3rd party for
> > trusting that a key is owned by whom it claims? Of course, this is merely
> > for casual checking, but it seems to be "good enough".
> As far as I can see the only checking CAs do before issuing a certificate is "does the credit card clear."

It seems to depend on the CA.  I know that one does a bit more
checking because, the first time I sent them a request, I got a call
from our corporate security officer to ask if I was really the one who
had sent that request, because the CA had asked him the same
question.  They had wanted some identifying information about us that
was not so easy for a mere computer wrangler like me to get, too.

That little bit of fussiness won my repeat business, BTW.  I figured
that being fussy is what we were paying for.  I wouldn't spend a dime
at one of those CC-clearance-is-good-enough-for-us outfits.

I guess that the lesson is:  don't assume.  Find out for yourself
whether a CA is worthy of your trust, before trusting.

Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20120123/c11580ef/attachment.pgp>

More information about the Gnupg-users mailing list