[Freedombox-discuss] Why is the signing criteria higher for OpenPGP Certs than CA Certs?

Eugen Leitl eugen at leitl.org
Thu Apr 5 08:18:44 UTC 2012

On Thu, Apr 05, 2012 at 09:23:26AM +0200, Elena ``of Valhalla'' wrote:
> On 2012-04-05 at 10:58:23 +1000, Fifty Four wrote:
> > My understanding of key signing is that you only sign for what you believe
> > to be true. The Certificate Authority Startcom created a certificate for my
> > email address after Startcom verified my email address when I replied to
> > their email check. 
> > 
> > AFAIK, to get a signed OpenPGP Certs I would need to attend a key signing
> > party to verify my email address and check the key.  
> Strictly speaking this is not true: you are supposed to meet in person 
> before a sign exchange happen, but it does not have to be at a 
> signing party. 

A more rigorous approach to the web of trust is to use a procedure
like http://wiki.cacert.org/FAQ/AssuranceDetails

More information about the Freedombox-discuss mailing list