On Sat, Jan 21, 2012 at 02:47:25PM -0500, Thomas Harning Jr. wrote: > That process seems pretty reasonable, assuming the CA is reputable. Even > better if you keep track of the SSL cert to keep track of breaches and the > like.
The idea is only to casually trust that a key belongs to a person. If the key is signed by a root CA certificate, then the person has established a relationship of trust between themselves and the CA. So, if the PGP key is signed by that cert, it seems to follow that the key is indeed owned by the person who claims to own it. > It seems akin to the PayPal 3rd party auth, just a different source. Yes. That's all I'm after. I think the militant "I _absolutely_ won't sign any keys unless I verify their identification, face-to-face" attitude is hindering adoption. There must be a way to build the WOT, while still allowing people to sign keys without meeting. Thus, the reasons for 0x10, 0x11, 0x12 and 0x13 in GnuPG for identifying how carefully you've verified the owner of a key. I'm looking for ways to build the WOT, without hindering adoption, by taking advantage of various means to establish trust of key ownership. This seems to be a method, I just want to make sure I have all my i's jotted and my t's crossed. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o
pgp4E4CNpjLIU.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
