making the X.509 infrastructure available for OpenPGP
Hauke Laging
mailinglisten at hauke-laging.de
Wed Feb 5 04:11:36 CET 2014
Am Di 04.02.2014, 19:38:07 schrieb Peter Lebbing:
> And CACert still isn't in the default
> trusted root bundle on quite some systems, I believe.
And will probably "never" be.
> extending the trust in that broken model to OpenPGP
That is not what I suggest. You can assign certification trust to any
key. Why should this of all keys not be done with certain CA keys?
In contrast to the X.509 approach I would not skip the user's trust
decision. And an important difference is that you could limit the CA to
marginal trust.
There is an advantage even if you do not assign positive certification
trust to the CA key: You see a valid CA signature on the certificate to
be verified and can make it valid yourself.
Of course, it would be nice if you did not have to make a completely
independent signature on the UID but could sign this one CA signature,
thus empowering the CA signature to make the key valid. The advantages
would be that
1) the CA cannot make keys valid without your explicit approval
2) in contrast to a signature by your own key this signature would
become invalid if the CA revoked it. The RfC defines signatures over
signatures but I guess this currently is not used (except for
revocations).
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140205/da589500/attachment.sig>
More information about the Gnupg-users
mailing list