On Friday, September 06, 2013 19:50:28 Melinda Shore wrote: > On 9/6/13 7:45 PM, Scott Kitterman wrote: > > They have different problems, but are inherently less reliable than web of > > trust GPG signing. It doesn't scale well, but when done in a defined > > context for defined purposes it works quite well. With external CAs you > > never know what you get. > > Vast numbers of bits can be and have been spent on the problems > with PKI and on vulnerabilities around CAs (and the trust model). > I am not arguing that PKI is awesome. What I *am* arguing is that > the semantics of the trust assertions are pretty well-understood > and agreed-upon, which is not the case with pgp. When someone > signs someone else's pgp key you really don't know why, what the > relationship is, what they thought they were attesting to, etc. If you think CA assertions are any better, then I beg to differ. Just for fun: http://www.winrumors.com/microsoft-warns-of-fake-ssl-certificates-issued-for-gmail-yahoo-skype-and-others/ Scott K