making the X.509 infrastructure available for OpenPGP
Mark H. Wood
mwood at IUPUI.Edu
Thu Feb 6 17:10:33 CET 2014
On Wed, Feb 05, 2014 at 10:30:38PM +0100, Peter Lebbing wrote:
> By the way, I still think the CA certifies that the certificate belongs to the
> person or role identified by the DN. The problem is that when someone vouches
> for the truth of something, that doesn't make it an actual fact. It sometimes
> means the certifier is simply sloppy or a liar. Certification is a statement,
> not truth.
I think that the CA certifies whatever its Certification Practice
Statement says it certifies -- because that is a document you could
present to a court as evidence. Commercial CAs typically are audited
periodically to determine that their operations conform to their CPS.
The problem is that a CPS can say *anything*. Without reading it, you
have no way of knowing what you should expect that CA's certificates
to mean.
--
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Machines should not be friendly. Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: </pipermail/attachments/20140206/64809ebb/attachment-0001.sig>
More information about the Gnupg-users
mailing list