On 9/6/13 7:45 PM, Scott Kitterman wrote: > They have different problems, but are inherently less reliable than web of > trust GPG signing. It doesn't scale well, but when done in a defined context > for defined purposes it works quite well. With external CAs you never know > what you get. Vast numbers of bits can be and have been spent on the problems with PKI and on vulnerabilities around CAs (and the trust model). I am not arguing that PKI is awesome. What I *am* arguing is that the semantics of the trust assertions are pretty well-understood and agreed-upon, which is not the case with pgp. When someone signs someone else's pgp key you really don't know why, what the relationship is, what they thought they were attesting to, etc. Melinda