making the X.509 infrastructure available for OpenPGP

[Mark H. Wood]

On Wed, Feb 05, 2014 at 09:06:25PM +0100, Werner Koch wrote:
> On Wed,  5 Feb 2014 19:04, peter at digitalbrains.com said:
> 
> > An X.509 certification obviously certifies that a certain X.509 certificate
> > belongs to the person or role identified by the Distinguished Name. But seen a
> 
> Almost all X.509 certification in public use certify only one of two
> things:
> 
>  - Someone has pushed a few bucks over to the CA.
> 
>  - Someone has convinced the CA to directly or indirectly issue a
>    certificate.

It varies.

I've dealt with CAs who wanted a DUNS number and would call the
corporate security officer at a published number to find out whether I
am authorized to request certificates.  In other words, these CAs
actually do some investigation of the claims in the CSR.  That's
likely one reason why their certificaties cost $200/yr.  I'd trust
these cert.s for everyday uses (only because my everyday risk is small).

I'm aware that others require as little as responding to email at the
proffered address, and clearance of a small payment.  I repose very
little trust in such cert.s.  They're mainly useful for initializing a
privacy mechanism, and don't say much that I'd believe about the
identity of the other party.  They're useful if that's all you want,
and most small e-commerce sites don't need more, possibly because most
people are unaware that there could be more and haven't thought deeply
about why they might want more.

So:  what would one want from X.509 certificates used to initialize an
OpenPGP session?  What would it take to get that?

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: </pipermail/attachments/20140206/31c5315e/attachment.sig>