One can posit a future application of PGP where a firm only uses a
certain PGP key to sign customers' keys with whom that firm has an
established line of credit --- and PGP would work perfectly well for
that application --- but that's not the general use of PGP, and that's a
case where the user has established their own semantic meaning of a
signature on a PGP key, which has meaning only to them.
Am I still out in left field? You've spoiled such a nice mental model!
Yes, I think your model is not at all accurate. PGP key signatures are
in practice only being used to make an assertion of identity. Whether
or not you trust various people's assertions of identity is what makes
up the "web of trust". The trust issues are only for identification,
not for whether or not someone is a scoundrel or not.
Well, I'm actually somewhat disappointed. It seems that PGP is closer to PEM
than I thought, and I had hoped that it was providing a sharper delineation of
features. I thin that we _need_ more authetication models that actually address
the trust issue, nd I had thought that PGP provided such a model. On the other
hand, the lack of a realy sharp difference between the semantic models of
identity validation makes it somewhat easier to eventually bring the two system
into alignment, if only by some gateways.
Unless someone is going to argue, "my six friends are better than your six
friends" or better than your CA and your PCA with their formal identification
policies, then the differences are really rather slight, when you get right
down to it.
Bob
--------------------------------
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
FAX: 1-617-466-2603
Voice: 1-617-466-2820