Am Samstag, 21. Januar 2012, 19:12:15 schrieb Aaron Toponce: > I just signed an OpenPGP key with cert level 0x12 (casual checking) given > the following scenario: > > * A PGP key was signed by an SSL certificate that was signed by a root > CA > * I verified that the signature was indeed from that root CA. > * I striped the signature, and imported the PGP key. > * I then signed the key, exported, and sent back. > > What are your thoughts on using root CAs as a trusted 3rd party for > trusting that a key is owned by whom it claims? Of course, this is merely > for casual checking, but it seems to be "good enough". > > Thoughts?
IMHO that does not make sense. In the end you just certify that you trust the CA. Your certification makes a difference just to those who do not trust the root CA (or do not know this certification path because the key servers don't know it). The clear solution would be that you certify the root CA's certificate. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
