Am Di 04.02.2014, 19:38:07 schrieb Peter Lebbing: > And CACert still isn't in the default > trusted root bundle on quite some systems, I believe.
And will probably "never" be. > extending the trust in that broken model to OpenPGP That is not what I suggest. You can assign certification trust to any key. Why should this of all keys not be done with certain CA keys? In contrast to the X.509 approach I would not skip the user's trust decision. And an important difference is that you could limit the CA to marginal trust. There is an advantage even if you do not assign positive certification trust to the CA key: You see a valid CA signature on the certificate to be verified and can make it valid yourself. Of course, it would be nice if you did not have to make a completely independent signature on the UID but could sign this one CA signature, thus empowering the CA signature to make the key valid. The advantages would be that 1) the CA cannot make keys valid without your explicit approval 2) in contrast to a signature by your own key this signature would become invalid if the CA revoked it. The RfC defines signatures over signatures but I guess this currently is not used (except for revocations). Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
