Using root CAs as a trusted 3rd party

Faramir at
Tue Jan 24 19:13:46 CET 2012

Hash: SHA256

El 21-01-2012 18:50, Gregor Zattler escribió:
> Hi Aaron, gnupg users, * Aaron Toponce <aaron.toponce at>
> [21. Jan. 2012]:
>> I just signed an OpenPGP key with cert level 0x12 (casual
>> checking) given the following scenario:
>> * A PGP key was signed by an SSL certificate that was signed by a
>> root CA * I verified that the signature was indeed from that root
>> CA. * I striped the signature, and imported the PGP key. * I then
>> signed the key, exported, and sent back.
>> What are your thoughts on using root CAs as a trusted 3rd party
>> for trusting that a key is owned by whom it claims? Of course,
>> this is merely for casual checking, but it seems to be "good
>> enough".
> IMHO by signing a key you make a statement about the connection 
> between a person or owner and the user id you sign, saying "I 
> somehow convinced myself that user owns this key".  This only makes
> sense if you have some insight into the matter that a person which
> is confronted with the key only cannot have.  Your signature should
> add some information.  Merely saying I'm convinced that the user is
> the owner/originator of the key because someone else already signed
> this key, does not make much sense to me.  I think you should have
> added a notation explaining you reasoning.

  Well, if Trent signs Alice key, Bob, who trust Trent, might sign her
key too. Charly doesn't know Trent, but he trusts Bob's judgement, so
he might accept Alice's key as valid, not because of Trent's
signature, but because of Bob's signature. Also, maybe Trent only
signs keys if 2 persons have checked it, but he just sign it once,
that signature doesn't reflect the amount of people having checked it.

  Best Regards
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list