[Enigmail] Setting trust levels for unknown keys

Allen Schultz allen.schultz at gmail.com
Wed Apr 29 15:00:28 PDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Apr 29, 2009 at 3:38 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> Please do not blindly designate ownertrust simply because
you've met
> someone face-to-face.  We've all met malicious and/or
incompetent people
> face-to-face.  It's good to know who the person is
("calculated
> validity"), but you should need to know something about their
skills,
> their presence of mind, their ethical code, and their
resistance to
> shenanigans in general to decide to trust their certifications
> ("ownertrust").

This could go for all Certificate Authorities, not just Thawte
or CAcert who even issue SSL certificates for ssl verified https
encryption for your security on the web as well. You the
community will use issued certificates from CA companies for
financial data online when you either need to or want to. When
is it time to accept a CA? When they have legal backing to be
fined by whatever government they're a corporation under?

Can you trust any company out there? Even the one you work for
as an employee to verify identy or trust in keysigning policies?
Should we even have a 3rd party authority at all if this
discussion is coming up with this level of heat/passion?

Faramir and I, among others, have reviewed "said" policies and
agreement (legal) documents with CAcert and Thawte have
"personally" decided to trust them (under the context of legal
consequence to the CA's) about their validity. Please read them
when you get the chance.

If you find that they have notorized someone that is false, they
have a legal remorse policy that must be followed. Would you
trust that?

I did "not" mean to turn this into a heated discussion or flame
war on the subject of trust. But I was merely pointing out that
there are 3rd party organizations who have SSL certificate roots
and GPG key roots for their personal WoT. You can either sign on
with them through their policies and get notorized (verified
identity) with them  or set up your own WoT. Your personal
choice as Faramir keeps stating on this issue.

Allen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72

iEYEARECAAYFAkn4zf0ACgkQV5r3Eu55xjZC0ACfe51RzOMbcih5P+MHYpNA05U4
LJAAnREXeoC25g+86euG0cB9wP5xG8DE
=IMp0
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list