Difficult at best, who wants to trust a faceless corporation? Not to be cynical but you might trust the receptionist but what about the IT dept? Are they competent? Money is no guarantee of anything, in fact the larger the company the more likely they will let something slip through the cracks. Companies all say they are secure and trustworthy, but who is hiring these people? Are their background checks? Should there be? Probably they outsource that and then you have to see if you can trust that company too. The main problem is that so much gets outsourced so dept head A doesn't have to worry about it but who is checking that this other company is doing it right? Its an endless cycle of paranoia.
Exactly. Trusting "a corporation" boils down to trusting its owners, and owners are those who hold the shares. In case you don't know how ownership of a public company work, google for "stock exchange" or so. :-) And understand that companies can hold the shares of other companies, too. :-)
Anyway. Show me one positive thing PKI has that OpenPGP Web of Trust is missing. From this thread it looks to me that few of us are aware of "trust signature level" notion. See GnuPG manual ("tsign") or here: http://www.google.com/search?hl=pl&q=gpg+tsign+site%3Awww.gnupg.org&btnG=Szukaj&lr= .
It looks to me that using trust signature levels (not just 2 or 3, like in X.509, but 10+) one can build his own key hierarchy. Here is an example: http://www.gswot.org/ .
Also Wikipedia (http://en.wikipedia.org/wiki/Web_of_trust) states that there are sites allowing you to find OpenPGP Web of Trust members near you (geographically), so that you could meet in person and sign each other's key. Sure, you might not be sure how honest a particular person is, or how accurate she is when it comes to key signing. But it *might* be helpful to know that a key of someone else that you haven't met in person has been signed by, say, 10 different people that you did meet before (see http://www.gnupg.org/gph/en/manual.html#AEN385).
So. Summarizing all this I would say that OpenPGP Web of Trust is (much) more flexible than PKI, and when it comes to implementation, it looks that with OpenPGP you are the one to decide whom to trust (http://www.gnupg.org/gph/en/manual.html#AEN385) (which is not the case with PKI, where a single certificate chain is sufficient for the trust to be assigned locally).
The revolution strategy will follow in my reply to Todd Zullinger's post (03/31/2009 01:10 AM).
STF ======================================================================= http://eisenbits.homelinux.net/~stf/ OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062 =======================================================================
Description: OpenPGP digital signature