[Enigmail] Setting trust levels for unknown keys
Faramir
faramir.cl at gmail.com
Wed Apr 29 14:12:59 PDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert J. Hansen escribió:
...
> This handwaves the question, though, of _why_ you're choosing to trust
> CAcert.org.
>
> I have no evidence CAcert.org is untrustworthy. At the same time, it's
> not like they've ever bought me a beer, either.
Right, it's indeed a very good question. Leaving aside it is always a
personal decision to trust or not a key or CA, CAcert is based on the
OpenSource philosophy, and that means their policies and procedures are
available to be checked by everybody. So maybe a level 2 signature
(informal checking) is not a bad idea at all (but again, that's a
personal decision). IIRC, that's the kind of signatures CAcert issue,
even to their Assurers (which have had their identities checked by at
least 3 different persons).
I'd say there are no reasons to trust CAcert less than thawte free
email certificates, since both are based in the same kind of identity
verifications. Of course, maybe you wouldn't trust Thawte too, and I
know you have the right to do that.
It is still a good idea to have a trusted third party that can issue
signatures, so we can trust people we have never seen face to face (by
trust I'm meaning, "trusting a bit more than without any proof of
identity". As an example, when I download GPGShell, I can check the
signature of the file against the author's public key, but since that
key is not signed by anybody I have seen face to face, I can never know
if it has been hacked or not (the workaround is I have had that key in
my keyring for about 1 year, so it's likely the author would notice if
somebody is impersonating him, in that time).
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ+MLbAAoJEMV4f6PvczxA3OcH/ig5+gOMXhtkIjGOiHevWWz+
opAmF8n2iI9pMnjMv5v87Wa2GnSs1Db3zEW0xjVvAgIQgDQ9Qu6oaop43cVfPy5C
rLV8lUovT6MKg+JkuxTNTNamVrSEwM8O/KyTbGF/0A0TEMB+LRlF+b1QY5JUxpRq
WSc1Xi79q8+jeToNlaFsT4kluds/cbUM3phvEDPgM+mpG7c6jdVL1IHYYoM1hckk
grXXwblJ6AKq+594zkSqDTy024mNdXyOjYVvxqjzX+31rsmRWY1h9BBVIA9obb1X
XHe3KsweZbDxN//s9Bccbtr1oRN+cdeWnCi7y40u4zwAiMUdsPT/tHdKV1ZjIZs=
=ZODB
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list