I just signed an OpenPGP key with cert level 0x12 (casual checking) given the following scenario:
* A PGP key was signed by an SSL certificate that was signed by a root
CA
* I verified that the signature was indeed from that root CA.
* I striped the signature, and imported the PGP key.
* I then signed the key, exported, and sent back.
What are your thoughts on using root CAs as a trusted 3rd party for
trusting that a key is owned by whom it claims? Of course, this is merely
for casual checking, but it seems to be "good enough".
Thoughts?
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
pgpmMdilzrAkw.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
