Re: Using root CAs as a trusted 3rd party
Am Dienstag, 24. Januar 2012, 22:10:35 schrieb Faramir: > > This is why OpenPGP implementations have trust settings. If Bob > > trusts Trent's assertions, then he can give Trent full trust and > > Bob's implementation will believe that Alice's key belongs to > > Alice. There's no need to sign the key. > > But Charly doesn't have Trent's key in his keyring, he doesn't even > know about Trent. So if Bob doesn't sign Alice's key, Charly won't > consider it valid. He will see the signature issued by an unknown key > (Trent's), and that is all. You completely change the semantics and use of the web of trust. IMHO that cannot be good. Charly can check all keys of the unknown signatures. After downloading Trent's key he finds Bob's signature and can make a decision about the trust path. Network systems like the web of trust can only work of all (or: most) people act in the same way. Do you suggest that every key gets 90 instead of (I guess) today's 10 because everyone signs his (trustedly) indirect contacts? Without any chance to tell direct and indirect signatures apart? What about revocations? Let's assume that Trent revokes his signature for Alice. Is Bob going to check that regularly? Probably not. Then Charly would trust the key due to Bob's signature though Bob himself does not trust it any more! At least not when thinking about it. And as Bob's signature does not even tell a third party which direct(?) signature made him certify the key, the third party cannot check whether the respective certification has been revoked. This behaviour would kill both trust depth and signature counting. A configuration like "Trust the key if it has five maginally trusted certifications" does not make any sense any more if one signature can become five that easily by everyone making indirect certifications. How can Bob know whether Trent has really verified the key or just certified it because he found a signature by Peter? This is neverending. In the end probably every key in the wild would be certified by ALL active keys. Why? Because most OpenPGP users should be connected somehow (no matter how many levels in between) and the result of such behaviour would be a flat signature space. Terrible. The value of a signature would drop to nearly zero (without checking for a policy URL and the policy description there). Is that what you want? This would not be a problem at all if the meaning of a certain signature would be clear. As I mentioned several times in earlier threads I would love to have a standard set of detailed signature notations for explaining the meaning of a certification (because applications could be configured to treat standardized notations differently). One of the notations could be direct vs. indirect. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-01-2012 16:26, brian m. carlson escribió: > On Tue, Jan 24, 2012 at 03:13:46PM -0300, Faramir wrote: >> Well, if Trent signs Alice key, Bob, who trust Trent, might sign >> her key too. Charly doesn't know Trent, but he trusts Bob's >> judgement, so he might accept Alice's key as valid, not because >> of Trent's ... > This is why OpenPGP implementations have trust settings. If Bob > trusts Trent's assertions, then he can give Trent full trust and > Bob's implementation will believe that Alice's key belongs to > Alice. There's no need to sign the key. But Charly doesn't have Trent's key in his keyring, he doesn't even know about Trent. So if Bob doesn't sign Alice's key, Charly won't consider it valid. He will see the signature issued by an unknown key (Trent's), and that is all. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPHx5LAAoJEMV4f6PvczxAFh8H/0AQVJ8hDV63a6DTukz/wymT sARdhUsGEufW1VbyNx5nR6luHkXv/omYckM6JzV+om4MYnGS0ZChV9bTyfWWvJAo SAxhuht8Ees4ocK/0U4/gcEJAIzwGJd/RpjPMbyENbvtOofwjzIqU92GixSIu6iT pruCU3y1JhIE5q6LZ7d0jWs6ycdkbj+o0OVcrfHD0aTsoSEFkQkAtsvzVqIxnKy3 y/BY6+yz6BcaYWvE0WnB/fOZb9fobHwTrl1aSMn0WuewU3HlJN3dvtNueB3JYlOM DN9sx5G+h1yY0mJoLRYAZj85RCL7KZ0kLDrcHEby/4ueOKitfN0H4xRVLZbHdYA= =osi/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On Tue, Jan 24, 2012 at 03:13:46PM -0300, Faramir wrote: > Well, if Trent signs Alice key, Bob, who trust Trent, might sign her > key too. Charly doesn't know Trent, but he trusts Bob's judgement, so > he might accept Alice's key as valid, not because of Trent's > signature, but because of Bob's signature. Also, maybe Trent only > signs keys if 2 persons have checked it, but he just sign it once, > that signature doesn't reflect the amount of people having checked it. This is why OpenPGP implementations have trust settings. If Bob trusts Trent's assertions, then he can give Trent full trust and Bob's implementation will believe that Alice's key belongs to Alice. There's no need to sign the key. If I truly believe that a key belongs to someone that I have seen use it for several years and that is trusted by numerous other people, but I have not verified the connection between that person's identity and key myself, I use a local signature. That way I don't have other people rely on my assertion if I haven't done the amount of checking that I would like to before making a public statement. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 21-01-2012 18:50, Gregor Zattler escribió: > Hi Aaron, gnupg users, * Aaron Toponce > [21. Jan. 2012]: >> I just signed an OpenPGP key with cert level 0x12 (casual >> checking) given the following scenario: >> >> * A PGP key was signed by an SSL certificate that was signed by a >> root CA * I verified that the signature was indeed from that root >> CA. * I striped the signature, and imported the PGP key. * I then >> signed the key, exported, and sent back. >> >> What are your thoughts on using root CAs as a trusted 3rd party >> for trusting that a key is owned by whom it claims? Of course, >> this is merely for casual checking, but it seems to be "good >> enough". > > IMHO by signing a key you make a statement about the connection > between a person or owner and the user id you sign, saying "I > somehow convinced myself that user owns this key". This only makes > sense if you have some insight into the matter that a person which > is confronted with the key only cannot have. Your signature should > add some information. Merely saying I'm convinced that the user is > the owner/originator of the key because someone else already signed > this key, does not make much sense to me. I think you should have > added a notation explaining you reasoning. Well, if Trent signs Alice key, Bob, who trust Trent, might sign her key too. Charly doesn't know Trent, but he trusts Bob's judgement, so he might accept Alice's key as valid, not because of Trent's signature, but because of Bob's signature. Also, maybe Trent only signs keys if 2 persons have checked it, but he just sign it once, that signature doesn't reflect the amount of people having checked it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJPHvTaAAoJEMV4f6PvczxAAjQIAIPfzIApPoR+FWibTqvp6Ijl 7i3YB5lvP7HpsLdpcA9To4XlmBXVuaPH4u+eJr/d8dOIJ/qCEgJnkaPamG/bXOU3 AobiXY0B0/mpF809vpF3+cNY+8PVTPVeWz66BrBzfVg9CVOUo+fhygChfyPTrEDw BL+fjowHmdliUhF8jDvw3Em2Oa+wcugImNnmTKncr3Qj1Kmp3UtVOSLQD5tbia3c SzHQ8nAHFgEbjpE3To+UjcXaBfd3kQnZ2WKKdcJdjxFscd0lvSj0dkj5jAnpWZZH xKoLE8ljvfSZOk73v5vxLENj4xWBOUJopi+bzaN4ZjTEMmUV0DOnh93C0QBTceQ= =gy8V -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
Hi Mike, gnupg users, * gn...@lists.grepular.com [22. Jan. 2012]: [...] > I sometimes wonder if the traditional public web of trust is even a good > idea. Are you happy to be associated with everybody you've signed the > key of and those who have signed yours? Are you sure that none of these > people will do anything in the future which might cause these public > associations to become a problem for you? When I sign a key a make a statement that I checked somehow that the key "belongs to" a specific person P. I might make further claims via a notation or a policy url but I don't have to. Merely stating that I proved someones identity of P should not mean anything else. But you are right, perhaps in the future P will be known to be a christ|communist|murderer|free software user|... and some government|churches|militia|... may come after me because I had dealings with such a person. But this might also happen because I am neighbour to P1 or was in school with P2 or even more problematic, because this christ|communist|devil|free software user|... might be me. And especially in the later case I would be happy if at least freedom loving free software users stand against inhuman and morally wrong accusations. Signing a key means signing a key. And we should fight for that if anyone gets in trouble because of it. Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On 01/23/2012 03:24 PM, Mark H. Wood wrote: > On Sat, Jan 21, 2012 at 01:49:20PM -0800, Ken Hagler wrote: > > (...) > > I guess that the lesson is: don't assume. Find out for yourself > whether a CA is worthy of your trust, before trusting. Well, that could be a big challenge. In addition consider those: http://petsymposium.org/2010/papers/hotpets10-Soghoian.pdf http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html https://bugzilla.mozilla.org/show_bug.cgi?id=682956 http://www.f-secure.com/weblog/archives/2128.html https://blog.torproject.org/blog/diginotar-damage-disclosure http://www.links.org/?p=1196 ... And many, many more examples. There were discussions about x509 and CA's credibility or ability to perform their tasks. Not much to add here I think. -- Regards, Milo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On Sat, Jan 21, 2012 at 01:49:20PM -0800, Ken Hagler wrote: > On Jan 21, 2012, at 10:12 AM, Aaron Toponce wrote: > > > What are your thoughts on using root CAs as a trusted 3rd party for > > trusting that a key is owned by whom it claims? Of course, this is merely > > for casual checking, but it seems to be "good enough". > > As far as I can see the only checking CAs do before issuing a certificate is > "does the credit card clear." It seems to depend on the CA. I know that one does a bit more checking because, the first time I sent them a request, I got a call from our corporate security officer to ask if I was really the one who had sent that request, because the CA had asked him the same question. They had wanted some identifying information about us that was not so easy for a mere computer wrangler like me to get, too. That little bit of fussiness won my repeat business, BTW. I figured that being fussy is what we were paying for. I wouldn't spend a dime at one of those CC-clearance-is-good-enough-for-us outfits. I guess that the lesson is: don't assume. Find out for yourself whether a CA is worthy of your trust, before trusting. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpKdDUFmXNkg.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using Root CAs as a Trusted 3rd Party
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Reference: Subject: Re: Using root CAs as a trusted 3rd party Date: Sat, 21 Jan 2012 13:49:20 -0800 From: Ken Hagler To: Aaron Toponce CC: gnupg-users@gnupg.org > On Jan 21, 2012, at 10:12 AM, Aaron Toponce wrote: > >> What are your thoughts on using root CAs as a trusted 3rd party >> for trusting that a key is owned by whom it claims? Of course, >> this is merely for casual checking, but it seems to be "good >> enough". > > As far as I can see the only checking CAs do before issuing a > certificate is "does the credit card clear." I believe you'll find that CAcert (www.cacert.org) is an exception *if* you are relying on one of their x.509 certificates that includes the individual's name since all CAcert certificates are free *and* If the CAcert certificate includes the owner's name -- and if you're willing to accept that CAcert assurance policies have been followed, you can be confident that a. The owner of the certificate has had a face-to-face meeting with two or more CAcert assurers who have examined (and accepted as valid) Government issued photoID documentation provided by that individual. Based on their assurance experience and their belief that the documents they have reviewed are valid, assurers can grant from 1 to 35 assurance points per individual. An individual must have at least 50 such points on their CAcert account to be considered "trusted" by CAcert. b. If an individual's name is included in their CAcert x.509 certificate *and* if that individual is also listed by location in CAcert's public list of assurers, you can be confident that the individual has had a face- to-face meeting with three or more CAcert assurers who have examined provided Government- issued photoID documentation and accepted them as valid as noted in subpara "a" above and that the individual has at least 100 assurance points on their CAcert account and has met all other CAcert assurer requirements. c. Currently many operating systems do not automatically include the CAcert root certificates (for details see http://wiki.cacert.org/InclusionStatus) but they can be easily obtained from http://www.cacert.org/index.php?id=3 and manually added to your list of root certificates. Just as a matter of information regarding members of the Gossamer Spider Web of Trust (GSWoT) : Among other requirements a GSIntroducer (GSI) must meet is that they are either: d.. A CAcert assurer, or e. Have an x.509 CAcert certificate that includes their name (indicating they've met with at least two CAcert assurers -- see subpara "a" above) *and have* *also* had a face-to-face meeting with at least one GSI who has examined and accepted as valid the Government- issued photoID documentation they've provided, and has trust signed their PGP/GPG key with their GSI key or keys, or f. Had a face-to-face meeting with three GSIs who have examined and accepted as valid the Government- issued photoID documentation they've provided, and has trust signed their PGP/GPG key with their GSI key or keys. Only then -- again assuming all other GSWoT policy requirements have been met and that it's been validated that they control the email addresses associated with each of their key's userIDs -- are their PGP/GPG key or keys userIDs GPG "sig!2 1" trust signed by the 8875BF7F GSWoT "Signing Authority" key validating they are GSIs. Ciao Kara Timestamp: Mon, 23 Jan 2012, 0553 Local (UTC -0500) . -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: For keyID and its URL see the OpenPGP message header iEYEAREIAAYFAk8dPBcACgkQ15k+1L3RO5DfvgCePIFKfynHCmEdGvlbhhWTg/ka QYkAnR+z3BzJSeSiY8SXA/aJ9bvwLmiX =kOMi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On 22/01/12 02:49, Aaron Toponce wrote: > Yes. That's all I'm after. I think the militant "I _absolutely_ won't sign > any keys unless I verify their identification, face-to-face" attitude is > hindering adoption. There must be a way to build the WOT, while still > allowing people to sign keys without meeting. Thus, the reasons for 0x10, > 0x11, 0x12 and 0x13 in GnuPG for identifying how carefully you've verified > the owner of a key. > > I'm looking for ways to build the WOT, without hindering adoption, by > taking advantage of various means to establish trust of key ownership. This > seems to be a method, I just want to make sure I have all my i's jotted and > my t's crossed. I've taken a different approach. Rather than trying to build up a WOT by getting people to sign my key, I've just made sure that the fingerprint of my master key is spread wide and far over the Internet, and that I sign everything. The front page of my website https://grepular.com/ is signed. It displays my fingerprint, and a Google link next to it: https://encrypted.google.com/search?q=%2235BC+AF1D+3AA2+1F84+3DC3+B0CF+70A5+F512+0018+461F%22&filter=0 You can see my fingerprint mentioned all over the place. I also sign all of my profiles on different sites whenever possible. A couple of examples: http://hackerbuddy.com/users/2670 https://news.ycombinator.com/user?id=mike-cardwell My fingerprint is also stored in a PKA record in the DNS: mike@Fuzzbutt:~$ dig +short txt mike.cardwell._pka.grepular.com "v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=http://grepular.com/0018461F.pub.asc"; mike@Fuzzbutt:~$ And the DNS for grepular.com even uses DNSSEC. I don't think you need to meet me in person to be confident that the key you've downloaded is mine. I sometimes wonder if the traditional public web of trust is even a good idea. Are you happy to be associated with everybody you've signed the key of and those who have signed yours? Are you sure that none of these people will do anything in the future which might cause these public associations to become a problem for you? -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
Hi Aaron, gnupg users, * Aaron Toponce [21. Jan. 2012]: > On Sat, Jan 21, 2012 at 10:50:11PM +0100, Gregor Zattler wrote: >> IMHO by signing a key you make a statement about the connection >> between a person or owner and the user id you sign, saying "I >> somehow convinced myself that user owns this key". This only >> makes sense if you have some insight into the matter that a >> person which is confronted with the key only cannot have. Your >> signature should add some information. Merely saying I'm >> convinced that the user is the owner/originator of the key >> because someone else already signed this key, does not make much >> sense to me. I think you should have added a notation explaining >> you reasoning. > > I trust the encrypted connection between my browser and my bank, because > the certificate they present to by browser is signed by a root CA that is > installed in the browser. I do the same since my bank refuses unwaveringly to send me their certificate by snail mail. Yes I actually asked them to send me their certificate but they explicitly refused to do so and told me I am free to quit my account. In this dispute I learned I'm the only customer ever to ask for their certificate. > It seems possible to make a valid corollary with > OpenPGP keys. I trust a key belongs to a specific user, because that key is > presented to be to be owned by a specific person is signed by a root CA. > > Esentially, I'm using a CA as a 3rd party to casually establish identity. > At this point, I can rest assured that the key this person claims is theirs > is actually theirs. Sure. Nothing wrong with that. You look at the key, see it's signed by the CA, you check the signature and decide *for yourself* that this is proof enough, that this is the users key. You take the risk. But don't use this as an argument to sign the key because then you are making a public statement instead of a private reasoning: Next time I use the very same key: I see the signature of the CA. Now there are two possibilities: a) I trust the CA. Then I check their signature, see it's good and I'm convinced it't the valid key of the user. What does your signature help me in this instance? b) I do not trust the CA. Therefore I don't even bother to check their signature. So I can't trust the validity of the key. But stop: There is a signature of Aaron Toponce. For the sake of the argument, let's assume we met at a key signing party, signed our respective keys and had a nice talk then. Now I see the users key is signed with a fully trusted key (yours) and therefore I might consider it valid -- but only because you trust a CA I don't trust. In my opinion that's the wrong outcome. Please sign keys only because of your own judgement on some facts not present with the key alone, not others (the CA). Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On Sat, Jan 21, 2012 at 10:50:11PM +0100, Gregor Zattler wrote: > IMHO by signing a key you make a statement about the connection > between a person or owner and the user id you sign, saying "I > somehow convinced myself that user owns this key". This only > makes sense if you have some insight into the matter that a > person which is confronted with the key only cannot have. Your > signature should add some information. Merely saying I'm > convinced that the user is the owner/originator of the key > because someone else already signed this key, does not make much > sense to me. I think you should have added a notation explaining > you reasoning. I trust the encrypted connection between my browser and my bank, because the certificate they present to by browser is signed by a root CA that is installed in the browser. It seems possible to make a valid corollary with OpenPGP keys. I trust a key belongs to a specific user, because that key is presented to be to be owned by a specific person is signed by a root CA. Esentially, I'm using a CA as a 3rd party to casually establish identity. At this point, I can rest assured that the key this person claims is theirs is actually theirs. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpPCr5lSeq8u.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On Sat, Jan 21, 2012 at 02:47:25PM -0500, Thomas Harning Jr. wrote: > That process seems pretty reasonable, assuming the CA is reputable. Even > better if you keep track of the SSL cert to keep track of breaches and the > like. The idea is only to casually trust that a key belongs to a person. If the key is signed by a root CA certificate, then the person has established a relationship of trust between themselves and the CA. So, if the PGP key is signed by that cert, it seems to follow that the key is indeed owned by the person who claims to own it. > It seems akin to the PayPal 3rd party auth, just a different source. Yes. That's all I'm after. I think the militant "I _absolutely_ won't sign any keys unless I verify their identification, face-to-face" attitude is hindering adoption. There must be a way to build the WOT, while still allowing people to sign keys without meeting. Thus, the reasons for 0x10, 0x11, 0x12 and 0x13 in GnuPG for identifying how carefully you've verified the owner of a key. I'm looking for ways to build the WOT, without hindering adoption, by taking advantage of various means to establish trust of key ownership. This seems to be a method, I just want to make sure I have all my i's jotted and my t's crossed. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgp4E4CNpjLIU.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On Jan 21, 2012, at 10:12 AM, Aaron Toponce wrote: > What are your thoughts on using root CAs as a trusted 3rd party for > trusting that a key is owned by whom it claims? Of course, this is merely > for casual checking, but it seems to be "good enough". As far as I can see the only checking CAs do before issuing a certificate is "does the credit card clear." -- Ken Hagler | http://www.orange-road.com/ | | And tho' we are not now that strength which in old days | | Moved earth and heaven, that which we are, we are --Tennyson | signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
Am Samstag, 21. Januar 2012, 19:12:15 schrieb Aaron Toponce: > I just signed an OpenPGP key with cert level 0x12 (casual checking) given > the following scenario: > > * A PGP key was signed by an SSL certificate that was signed by a root > CA > * I verified that the signature was indeed from that root CA. > * I striped the signature, and imported the PGP key. > * I then signed the key, exported, and sent back. > > What are your thoughts on using root CAs as a trusted 3rd party for > trusting that a key is owned by whom it claims? Of course, this is merely > for casual checking, but it seems to be "good enough". > > Thoughts? IMHO that does not make sense. In the end you just certify that you trust the CA. Your certification makes a difference just to those who do not trust the root CA (or do not know this certification path because the key servers don't know it). The clear solution would be that you certify the root CA's certificate. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
Hi Aaron, gnupg users, * Aaron Toponce [21. Jan. 2012]: > I just signed an OpenPGP key with cert level 0x12 (casual checking) given > the following scenario: > > * A PGP key was signed by an SSL certificate that was signed by a root > CA > * I verified that the signature was indeed from that root CA. > * I striped the signature, and imported the PGP key. > * I then signed the key, exported, and sent back. > > What are your thoughts on using root CAs as a trusted 3rd party for > trusting that a key is owned by whom it claims? Of course, this is merely > for casual checking, but it seems to be "good enough". IMHO by signing a key you make a statement about the connection between a person or owner and the user id you sign, saying "I somehow convinced myself that user owns this key". This only makes sense if you have some insight into the matter that a person which is confronted with the key only cannot have. Your signature should add some information. Merely saying I'm convinced that the user is the owner/originator of the key because someone else already signed this key, does not make much sense to me. I think you should have added a notation explaining you reasoning. Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- [1] Especially since there have been several comprises of CAs in the past. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using root CAs as a trusted 3rd party
On Jan 21, 2012 1:13 PM, "Aaron Toponce" wrote: > > I just signed an OpenPGP key with cert level 0x12 (casual checking) given > the following scenario: > >* A PGP key was signed by an SSL certificate that was signed by a root > CA >* I verified that the signature was indeed from that root CA. >* I striped the signature, and imported the PGP key. >* I then signed the key, exported, and sent back. > > What are your thoughts on using root CAs as a trusted 3rd party for > trusting that a key is owned by whom it claims? Of course, this is merely > for casual checking, but it seems to be "good enough". > That process seems pretty reasonable, assuming the CA is reputable. Even better if you keep track of the SSL cert to keep track of breaches and the like. It seems akin to the PayPal 3rd party auth, just a different source. I may add this idea to my key signing policy... perhaps adding a flag in the policy URL like the version flag I have. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using root CAs as a trusted 3rd party
I just signed an OpenPGP key with cert level 0x12 (casual checking) given the following scenario: * A PGP key was signed by an SSL certificate that was signed by a root CA * I verified that the signature was indeed from that root CA. * I striped the signature, and imported the PGP key. * I then signed the key, exported, and sent back. What are your thoughts on using root CAs as a trusted 3rd party for trusting that a key is owned by whom it claims? Of course, this is merely for casual checking, but it seems to be "good enough". Thoughts? -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpmMdilzrAkw.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users