lcs Mixmaster Remailer wrote:
> This is in contrast to the practice in the X.509 PKI, where a root CA
> has the ability to delegate trust as far as it wishes.
This is not correct. In X.509 it is the verifier that defines how that
is accepted and to how many levels, irrespective of what was signed.
The contrast is not true for PGP either. A signer in PGP may sign
any number of keys that may have a transitive relationship to one
another' signatures as far as the signer wishes -- what the verifier
does (as in X.509) is another story.
> If your browser
> trusts Verisign, and Verisign trusts someone else, you automatically
> trust that other party.
Depends on the browser. This is not a requirement or feature of X.509,
though often so confused. For an example where it is not, see Apache.
Cheers,
Ed Gerck
