[Ach] StartSSL for Business Sysadmins

Tobias Dussa (SCC) tobias.dussa at kit.edu
Tue Jan 14 11:53:09 CET 2014


On Tue, Jan 14, 2014 at 11:42:51AM +0100, Axel Hübl wrote:
> > Note that the PGP trust model is much worse in that respect; there
> > is nothing at all to help you decide on whether to bestow trust on
> > a given signature at all.
> Well, I guess a web-of-trust counts.
> It helps me a lot if I guy I trust trusted a particular key by signing it.

Exactly, that is my point.  YOU have decided to trust this particular guy.  It
is YOUR problem to establish that he only signs key that are trustworthy (for
whatever definition).  There is nothing wrong with that at all, don't
misunderstand me (I do use PGP and do attend keysigning parties all the time
;-)).  The web of trust goes a long way, but it does not address every problem
and comes at a cost, too.

CAs, on the other hand, do provide CP/CPS, so you have at least some indication
of what is going on.  You still have to decide whether a) a given CA is
trustworthy in the sense that they stick to their own CP/CPS and b) whether you
think that their CP/CPS are sensible, but at least there are published CP/CPS
(as opposed to "I know this guy and he seems to know what he is doing, so I
trust his signatures," which essentially says nothing about what his or her
signature actually implies).

Abusus non tollit usum.


Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association

More information about the Ach mailing list