On Jan 21, 2012 1:13 PM, "Aaron Toponce" <aaron.topo...@gmail.com> wrote: > > I just signed an OpenPGP key with cert level 0x12 (casual checking) given > the following scenario: > > * A PGP key was signed by an SSL certificate that was signed by a root > CA > * I verified that the signature was indeed from that root CA. > * I striped the signature, and imported the PGP key. > * I then signed the key, exported, and sent back. > > What are your thoughts on using root CAs as a trusted 3rd party for > trusting that a key is owned by whom it claims? Of course, this is merely > for casual checking, but it seems to be "good enough". >
That process seems pretty reasonable, assuming the CA is reputable. Even better if you keep track of the SSL cert to keep track of breaches and the like. It seems akin to the PayPal 3rd party auth, just a different source. I may add this idea to my key signing policy... perhaps adding a flag in the policy URL like the version flag I have.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users