Modernizing Web-of-trust for Organizations

Lou Wynn lewisurn at
Thu Jan 4 06:10:34 CET 2018

On 01/03/2018 04:40 PM, MFPA wrote:
>> It is already the case that an organisation does not need to depend on
>> third-party CAs to certify its staff's OpenPGP keys.

It's true for OpenPGP because OpenPGP is a distributed system, there is
no single CA, or it doesn't have the concept of CA at all. My original
implicit reference is PKI based S/MIME.

The autonomous certificate authority model is different from both PKI
and web of trust. As I explained in one of my previous posts that this
model clearly defines what trustworthiness is. The short version is:

A trusted key or trustworthiness means that the sender's certificate is
verified to be in the same trust realm or in the same trust group with
the receiver, besides traditional signature verification.

In this model, end users are freed from managing trust relationship
completely because the trustworthiness can be checked mechanically and
it makes sense to organizational usages.


More information about the Gnupg-users mailing list