making the X.509 infrastructure available for OpenPGP

Mark H. Wood mwood at IUPUI.Edu
Thu Feb 6 17:10:33 CET 2014

On Wed, Feb 05, 2014 at 10:30:38PM +0100, Peter Lebbing wrote:
> By the way, I still think the CA certifies that the certificate belongs to the
> person or role identified by the DN. The problem is that when someone vouches
> for the truth of something, that doesn't make it an actual fact. It sometimes
> means the certifier is simply sloppy or a liar. Certification is a statement,
> not truth.

I think that the CA certifies whatever its Certification Practice
Statement says it certifies -- because that is a document you could
present to a court as evidence.  Commercial CAs typically are audited
periodically to determine that their operations conform to their CPS.

The problem is that a CPS can say *anything*.  Without reading it, you
have no way of knowing what you should expect that CA's certificates
to mean.

Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: </pipermail/attachments/20140206/64809ebb/attachment-0001.sig>

More information about the Gnupg-users mailing list