[Freedombox-discuss] Why is the signing criteria higher for OpenPGP Certs than CA Certs?
I prefer the OpenPGP cert model over the CA model because the CA model only
allows one entity to sign your key, while OpenPGP offers more security by
spreading your risk amongst several entities.
My understanding of key signing is that you only sign for what you believe
to be true. The Certificate Authority Startcom created a certificate for my
email address after Startcom verified my email address when I replied to
their email check.
AFAIK, to get a signed OpenPGP Certs I would need to attend a key signing
party to verify my email address and check the key. I want OpenPGP to
succeed, but why can't I login into a site which sign's the key of my email
address after my email address has been verified. Why can't the same happen
for an IM address? Couldn't a video call could verify my Photo?
I know that CA's offer an Extended Validation service which require full
identity checks, but the majority of online entities only want confirmation
of their online identifier i.e. web address. OpenPGP key signing parties
seem to me to match the Extended Validation service in requiring a full
My point is in most cases people would only want their online identifiers
(email, IM/video call, blog) signed. That being the case why does the
OpenPGP community require you to attend a key signing party?
To me, the key signing criteria for OpenPGP Certs seems unnecessarily too
high, preventing mainstream adoption of what I see as a better model. Please
help me understand why the criteria is so high compared to CA Certs.
Thank you for reading.
-------------- next part --------------
An HTML attachment was scrubbed...