[conspire] Offering GPG/PGP Workshop at CABAL
Daniel Gimpelevich
daniel at gimpelevich.san-francisco.ca.us
Wed May 14 10:00:29 PDT 2008
On Tue, 13 May 2008 21:06:29 -0700, Rick Moen wrote:
> Have you ever encountered a real-world deployment of S/MIME that was
> _not_ a top-down corporate/institutional mail solution? Those don't
> need much community help, and I also cannot see most CABAL members
> paying two Thawte (or whoever) notaries to certify their in-person
> identities -- without which, the cert isn't much use.
Au contraire, the cert can positively establish identity (which is not
necessarily an in-person identity) without any verification at all. This
is true of both GPG/PGP and SSL. The more a particular signature is used
by an individual, the more obvious it becomes that that's whose signature
it is.
> Much of the value of GnuPG (and PGP, and the OpenPGP standard) lies in
> the fact that it relies a broadbased, bottom-up web of trust -- in
> contrast.
Nothing about S/MIME requires bringing in notaries to verify anything even
to get a certification of an in-person identity. I fail to see how
GPG/PGP's "broadbased, bottom-up" web of trust has any conceptual
differences from what CAcert incorporates:
http://wiki.cacert.org/wiki/FAQ/AssuranceIntroduction#head-3321b1b3739278f8e8d378f6cf5267199fe342d9
Then again, the self-signed cert at https://linuxmafia.com could
theoretically also be used to sign its very own web of trust of SSL certs...
More information about the conspire
mailing list