On Wed, Feb 05, 2014 at 09:06:25PM +0100, Werner Koch wrote: > On Wed, 5 Feb 2014 19:04, pe...@digitalbrains.com said: > > > An X.509 certification obviously certifies that a certain X.509 certificate > > belongs to the person or role identified by the Distinguished Name. But > > seen a > > Almost all X.509 certification in public use certify only one of two > things: > > - Someone has pushed a few bucks over to the CA. > > - Someone has convinced the CA to directly or indirectly issue a > certificate.
It varies. I've dealt with CAs who wanted a DUNS number and would call the corporate security officer at a published number to find out whether I am authorized to request certificates. In other words, these CAs actually do some investigation of the claims in the CSR. That's likely one reason why their certificaties cost $200/yr. I'd trust these cert.s for everyday uses (only because my everyday risk is small). I'm aware that others require as little as responding to email at the proffered address, and clearance of a small payment. I repose very little trust in such cert.s. They're mainly useful for initializing a privacy mechanism, and don't say much that I'd believe about the identity of the other party. They're useful if that's all you want, and most small e-commerce sites don't need more, possibly because most people are unaware that there could be more and haven't thought deeply about why they might want more. So: what would one want from X.509 certificates used to initialize an OpenPGP session? What would it take to get that? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
