Using root CAs as a trusted 3rd party

Faramir faramir.cl at gmail.com
Tue Jan 24 19:13:46 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 21-01-2012 18:50, Gregor Zattler escribió:
> Hi Aaron, gnupg users, * Aaron Toponce <aaron.toponce at gmail.com>
> [21. Jan. 2012]:
>> I just signed an OpenPGP key with cert level 0x12 (casual
>> checking) given the following scenario:
>> 
>> * A PGP key was signed by an SSL certificate that was signed by a
>> root CA * I verified that the signature was indeed from that root
>> CA. * I striped the signature, and imported the PGP key. * I then
>> signed the key, exported, and sent back.
>> 
>> What are your thoughts on using root CAs as a trusted 3rd party
>> for trusting that a key is owned by whom it claims? Of course,
>> this is merely for casual checking, but it seems to be "good
>> enough".
> 
> IMHO by signing a key you make a statement about the connection 
> between a person or owner and the user id you sign, saying "I 
> somehow convinced myself that user owns this key".  This only makes
> sense if you have some insight into the matter that a person which
> is confronted with the key only cannot have.  Your signature should
> add some information.  Merely saying I'm convinced that the user is
> the owner/originator of the key because someone else already signed
> this key, does not make much sense to me.  I think you should have
> added a notation explaining you reasoning.

  Well, if Trent signs Alice key, Bob, who trust Trent, might sign her
key too. Charly doesn't know Trent, but he trusts Bob's judgement, so
he might accept Alice's key as valid, not because of Trent's
signature, but because of Bob's signature. Also, maybe Trent only
signs keys if 2 persons have checked it, but he just sign it once,
that signature doesn't reflect the amount of people having checked it.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJPHvTaAAoJEMV4f6PvczxAAjQIAIPfzIApPoR+FWibTqvp6Ijl
7i3YB5lvP7HpsLdpcA9To4XlmBXVuaPH4u+eJr/d8dOIJ/qCEgJnkaPamG/bXOU3
AobiXY0B0/mpF809vpF3+cNY+8PVTPVeWz66BrBzfVg9CVOUo+fhygChfyPTrEDw
BL+fjowHmdliUhF8jDvw3Em2Oa+wcugImNnmTKncr3Qj1Kmp3UtVOSLQD5tbia3c
SzHQ8nAHFgEbjpE3To+UjcXaBfd3kQnZ2WKKdcJdjxFscd0lvSj0dkj5jAnpWZZH
xKoLE8ljvfSZOk73v5vxLENj4xWBOUJopi+bzaN4ZjTEMmUV0DOnh93C0QBTceQ=
=gy8V
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list