Using root CAs as a trusted 3rd party

brian m. carlson sandals at
Tue Jan 24 20:26:15 CET 2012

On Tue, Jan 24, 2012 at 03:13:46PM -0300, Faramir wrote:
>   Well, if Trent signs Alice key, Bob, who trust Trent, might sign her
> key too. Charly doesn't know Trent, but he trusts Bob's judgement, so
> he might accept Alice's key as valid, not because of Trent's
> signature, but because of Bob's signature. Also, maybe Trent only
> signs keys if 2 persons have checked it, but he just sign it once,
> that signature doesn't reflect the amount of people having checked it.

This is why OpenPGP implementations have trust settings.  If Bob trusts
Trent's assertions, then he can give Trent full trust and Bob's
implementation will believe that Alice's key belongs to Alice.  There's
no need to sign the key.

If I truly believe that a key belongs to someone that I have seen use it
for several years and that is trusted by numerous other people, but I
have not verified the connection between that person's identity and key
myself, I use a local signature.  That way I don't have other people
rely on my assertion if I haven't done the amount of checking that I
would like to before making a public statement.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20120124/40e051cf/attachment.pgp>

More information about the Gnupg-users mailing list