> On 16 Jun 2019, at 12:51, Vincent Breitmoser <look@my.amazin.horse> wrote:
> 
> 
>> Maybe you can consider in the future at least to allow CA sigs.
>> Those would be only one sig per key and the CA signing keys
>> could be stored in your database as reference as well.
>> 
>> Currently 3 CAs come to mind: Governikus, Heise and CAcert.
> 
> Interesting thought!  I would be a bit worried about slipping into a 
> gatekeeper
> role, but at least there are no technical issues with this.

I would recommend that if you want to go down the road of selectively allowing 
some third party sigs, that the only honest and transparent way is to allow the 
leaf certs to determine which sigs are allowed on themselves, via cross 
signing. If a CA wants to make this process cleaner for the end user, it can be 
done through tooling. 

A

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to