On 9/6/13 7:45 PM, Scott Kitterman wrote:
They have different problems, but are inherently less reliable than web of
trust GPG signing. It doesn't scale well, but when done in a defined context
for defined purposes it works quite well. With external CAs you never know
what you get.
Vast numbers of bits can be and have been spent on the problems
with PKI and on vulnerabilities around CAs (and the trust model).
I am not arguing that PKI is awesome. What I *am* arguing is that
the semantics of the trust assertions are pretty well-understood
and agreed-upon, which is not the case with pgp. When someone
signs someone else's pgp key you really don't know why, what the
relationship is, what they thought they were attesting to, etc.
Melinda