Christian Huitema wrote: > The PKI and the PGP model both have risks, just different risks. The PGP > model only involves the two parties; it brings the risk that the two > parties misidentify each other. The PKI model involves a third party, > supposedly trusted by both players; it brings the risk that the third > party may make mistakes, or that the two parties mistakenly assign too > much trust to a third party. Also, any large centralized service is > bound to become a target for government and other entities. Absolutely! The risk is narrower in PGP. We have already had a case were the third-party made a mistake. Some CA has sold their private key to get out of bankruptcy.