Christian Huitema wrote:
The PKI and the PGP model both have risks, just different risks. The
PGP
model only involves the two parties; it brings the risk that the two
parties misidentify each other. The PKI model involves a third party,
supposedly trusted by both players; it brings the risk that the third
party may make mistakes, or that the two parties mistakenly assign too
much trust to a third party. Also, any large centralized service is
bound to become a target for government and other entities.
Absolutely!
The risk is narrower in PGP.
We have already had a case were the third-party made a mistake.
Some CA has sold their private key to get out of bankruptcy.