[7799] in cryptography@c2.net mail archive
Re: reflecting on PGP, keyservers, and the Web of Trust
daemon@ATHENA.MIT.EDU (Ed Gerck)
Tue Sep 12 16:07:51 2000
Date: Mon, 11 Sep 2000 13:05:08 -0700
From: Ed Gerck <egerck@nma.com>
Cc: cryptography@c2.net
Message-id: <39BD3AF4.16291930@nma.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
lcs Mixmaster Remailer wrote:
> This is in contrast to the practice in the X.509 PKI, where a root CA
> has the ability to delegate trust as far as it wishes.
This is not correct. In X.509 it is the verifier that defines how that
is accepted and to how many levels, irrespective of what was signed.
The contrast is not true for PGP either. A signer in PGP may sign
any number of keys that may have a transitive relationship to one
another' signatures as far as the signer wishes -- what the verifier
does (as in X.509) is another story.
> If your browser
> trusts Verisign, and Verisign trusts someone else, you automatically
> trust that other party.
Depends on the browser. This is not a requirement or feature of X.509,
though often so confused. For an example where it is not, see Apache.
Cheers,
Ed Gerck
