> On 16 Jun 2019, at 12:51, Vincent Breitmoser <look@my.amazin.horse> wrote: > > >> Maybe you can consider in the future at least to allow CA sigs. >> Those would be only one sig per key and the CA signing keys >> could be stored in your database as reference as well. >> >> Currently 3 CAs come to mind: Governikus, Heise and CAcert. > > Interesting thought! I would be a bit worried about slipping into a > gatekeeper > role, but at least there are no technical issues with this.
I would recommend that if you want to go down the road of selectively allowing some third party sigs, that the only honest and transparent way is to allow the leaf certs to determine which sigs are allowed on themselves, via cross signing. If a CA wants to make this process cleaner for the end user, it can be done through tooling. A _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users