[conspire] Offering GPG/PGP Workshop at CABAL

Daniel Gimpelevich daniel at gimpelevich.san-francisco.ca.us
Wed May 14 10:00:29 PDT 2008

On Tue, 13 May 2008 21:06:29 -0700, Rick Moen wrote:

> Have you ever encountered a real-world deployment of S/MIME that was
> _not_ a top-down corporate/institutional mail solution?  Those don't 
> need much community help, and I also cannot see most CABAL members
> paying two Thawte (or whoever) notaries to certify their in-person
> identities -- without which, the cert isn't much use.

Au contraire, the cert can positively establish identity (which is not
necessarily an in-person identity) without any verification at all. This
is true of both GPG/PGP and SSL. The more a particular signature is used
by an individual, the more obvious it becomes that that's whose signature
it is.

> Much of the value of GnuPG (and PGP, and the OpenPGP standard) lies in
> the fact that it relies a broadbased, bottom-up web of trust -- in
> contrast.

Nothing about S/MIME requires bringing in notaries to verify anything even
to get a certification of an in-person identity. I fail to see how
GPG/PGP's "broadbased, bottom-up" web of trust has any conceptual
differences from what CAcert incorporates:
Then again, the self-signed cert at https://linuxmafia.com could
theoretically also be used to sign its very own web of trust of SSL certs...

More information about the conspire mailing list