[Freedombox-discuss] Why is the signing criteria higher for OpenPGP Certs than CA Certs?
Eugen Leitl
eugen at leitl.org
Thu Apr 5 08:18:44 UTC 2012
On Thu, Apr 05, 2012 at 09:23:26AM +0200, Elena ``of Valhalla'' wrote:
> On 2012-04-05 at 10:58:23 +1000, Fifty Four wrote:
> > My understanding of key signing is that you only sign for what you believe
> > to be true. The Certificate Authority Startcom created a certificate for my
> > email address after Startcom verified my email address when I replied to
> > their email check.
> >
> > AFAIK, to get a signed OpenPGP Certs I would need to attend a key signing
> > party to verify my email address and check the key.
>
> Strictly speaking this is not true: you are supposed to meet in person
> before a sign exchange happen, but it does not have to be at a
> signing party.
A more rigorous approach to the web of trust is to use a procedure
like http://wiki.cacert.org/FAQ/AssuranceDetails
More information about the Freedombox-discuss
mailing list