- From: Chris Bizer <chris@bizer.de>
- Date: Thu, 18 Mar 2004 13:29:59 +0100
- To: "Patrick Stickler" <patrick.stickler@nokia.com>
- Cc: "ext Jeremy Carroll" <jjc@hpl.hp.com>, <phayes@ihmc.us>, <www-archive@w3.org>, <jjc@hplb.hpl.hp.com>
> OK, so in either case (PGP or X509) you have a CA, and for PGP > different folks vouch for other folks whereas for X509 one entity > vouches for a set of registered users. > Yes, nearly. With the extension that X509 uses certification hirarchies, meaning VeriSign (the usual root CA) certificates other CAs who themselfes certificate users and other CAs. The PGP aproach doesn't rely on root CAs but on independent trust chains. > Ultimately, one has to decide both whether (a) they trust the CA > and trust the authority. > > Yes? Yes. In the X509 case you should trust a root CA (all internet explorer users do, because the VeriSign certificate is build in :-), and all certificates are chained up to this root CA (or other CAs you trust on the way). In the PGP case you need to trust somebody in a chain that connects to the certificate you want to check. Knowing that the signeture is valid your agent can start thinking about, if he trusts the authority on information content in the specific application domain. Chris > > Patrick > > > -- > > Patrick Stickler > Nokia, Finland > patrick.stickler@nokia.com > >
Received on Thursday, 18 March 2004 08:28:15 UTC