On Sat, Jan 21, 2012 at 01:49:20PM -0800, Ken Hagler wrote: > On Jan 21, 2012, at 10:12 AM, Aaron Toponce wrote: > > > What are your thoughts on using root CAs as a trusted 3rd party for > > trusting that a key is owned by whom it claims? Of course, this is merely > > for casual checking, but it seems to be "good enough". > > As far as I can see the only checking CAs do before issuing a certificate is > "does the credit card clear."
It seems to depend on the CA. I know that one does a bit more checking because, the first time I sent them a request, I got a call from our corporate security officer to ask if I was really the one who had sent that request, because the CA had asked him the same question. They had wanted some identifying information about us that was not so easy for a mere computer wrangler like me to get, too. That little bit of fussiness won my repeat business, BTW. I figured that being fussy is what we were paying for. I wouldn't spend a dime at one of those CC-clearance-is-good-enough-for-us outfits. I guess that the lesson is: don't assume. Find out for yourself whether a CA is worthy of your trust, before trusting. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart.
pgpKdDUFmXNkg.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
