On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote: > On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote: Hi Dirk, > > > Get a sig from a CA and then upload your key via email. > > Then the key servers do something like a gpg --check-sigs > > to see if a key bears a valid CA sig and if it is found in their > > index the key will be added to the network, once the submitted > > UID matches with the email address header. So no cryptographic > > verification is imho needed. This would also eliminate, i think, > > > that someone else can upload someone else's pub key. > > > > And who decides which CA ist trustworthy and which is not? The > > problem ist, like in the X.509 land, that it depends on an initial > > trust to one or more central authorities. Who decides whom one can > > trust.
If trusted organizations like EFF etc. would run a CA... > > And further, why should anyone run something like a ca CA for > > free. Nobody said that it should be free. > > And then again the question, who decides who get's the nedded > > trust? I have learned in the past the phrase "trust nobody" when it comes to IoT. That means also I don't have to trust GnuPG users, for example... ;-) Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas
pgpg3JPGCayJz.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users