> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>> I'm sorry, but I don't understand. For example, as far as I know,
>> certificate authorities are not excluded by PGP. What is not
>> done, at least in GnuPG, is the inclusion of CA certificates with
>> the application and with a predefined trust level.
>> But there is nothing which prevents, for example, Verisign from
>> publishing a PGP key and encouraging people to trust it.
> PGP is based on a web-of-trust model where the level of trust is
> defined by the community. Verisign is based on a centeralized model
> where the trust is based on the credibility of the CA.
But nothing - at least technically - prevents a certificate authority from
also participating in a community through which trust is defined.
>> So PGP can be used with or without the involvement of certificate
>> authorities. And this was the crux of my question. California
>> appears to both (1) permit the use of PGP and (2) require the use
>> of an approved certificate authority. But for this to have
>> meaning, at least some subset of the approved certificate
>> authorities must be willing to sign PGP keys.
> The fact that a CA signs a PGP cert means nothing unless I trust that
> CA. It is no different then you signing Tom M.'s key. If don't trust
> you it is worthless.
Of course. But that's true whether we're speaking of a "web of trust" or
the centralized model in which certificate authorities prefer to operate.
In the browser "market", for example, trust is defined by what is shipped
with the browser software. Too few are too ignorant of how a new CA
certificate may be inserted. In fact, the very idea is a black hole to
This is interesting because it establishes a barrier to the entry of new
Quote:> Lots of state and federal agencies in the US use PGP because they are
> still rolling out Entrust or some other vendor. The spirit of the law
> I think is that, you can use PGP but we prefer you use a CA.
> Something is better then nothing. The law though has room for
> clarification by the legislator.
I cannot speak to the "spirit" of the law, as I'm not in California so I'm
not aware of what discussions occurred prior to its passage. But the
actual wording seems to define a market for certificate authorities:
signing PGP keys.
As we're speaking of state agencies, I could see "management" (ie.
California authorities) mandating that system administrators install and
mark as ultimately trusted the PGP certificates for the approved
Again, going back to the actual wording of the law, PGP use would appear to
be precluded unless the public keys being used were signed by approved
certificate authorities. Use of PGP with public keys not signed in this
fashion would appear to violate the law.
But is it possible to satisfy this requirement? Are the approved
Certificate Authorities actually willing to (or required to) operate in the
PGP market? I can see strong motivation why they'd *not* choose to do so.
But the state *could* mandate this as a requirement for state approval.
Is this a law which appears to permit something, but which provides no means
through which that permission may be exercised? If so, did the certificate
authorities sneak this past the state legislature? Was it an accident
committed by nontechnical authors of the law?
This is which is part of why I find the issue so very interesting.