[Ach] StartSSL for Business Sysadmins
Tobias Dussa (SCC)
tobias.dussa at kit.edu
Tue Jan 14 11:53:09 CET 2014
On Tue, Jan 14, 2014 at 11:42:51AM +0100, Axel Hübl wrote:
> > Note that the PGP trust model is much worse in that respect; there
> > is nothing at all to help you decide on whether to bestow trust on
> > a given signature at all.
> Well, I guess a web-of-trust counts.
> It helps me a lot if I guy I trust trusted a particular key by signing it.
Exactly, that is my point. YOU have decided to trust this particular guy. It
is YOUR problem to establish that he only signs key that are trustworthy (for
whatever definition). There is nothing wrong with that at all, don't
misunderstand me (I do use PGP and do attend keysigning parties all the time
;-)). The web of trust goes a long way, but it does not address every problem
and comes at a cost, too.
CAs, on the other hand, do provide CP/CPS, so you have at least some indication
of what is going on. You still have to decide whether a) a given CA is
trustworthy in the sense that they stick to their own CP/CPS and b) whether you
think that their CP/CPS are sensible, but at least there are published CP/CPS
(as opposed to "I know this guy and he seems to know what he is doing, so I
trust his signatures," which essentially says nothing about what his or her
signature actually implies).
Abusus non tollit usum.
Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
CERT Manager, CA Manager
76131 Karlsruhe, Germany
Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association
More information about the Ach