On Sun, Oct 24, 2021 at 10:12 PM Karl <gmkarl@gmail.com> wrote:
I didn't know there was such a thing as a PGP CA, kinda cool, does sound a little single-point-of-failure to me, but you must have laws to e.g. force them to improve their practices if they aren't sufficient, I suppose.
Well, the CA is run on behalf of our BSI (a Government Institution) for computer security etc. If the service goes down, you can expect that it will be up again the next day, in case of failure or DDOS. The only reason to no longer run the CA could maybe be that one day OpenPGP plays no longer a role, cost-wise to run such a service, for free and its (few) citizens using OpenPGP. For digital signatures only we have also now EU wide eIDAS, which allows people to use .pdf documents and let them digitally sign via authorized (by Government) services. You then can for example (as a US citizen etc.) verify my .pdf document, say contract, application form, or whatever, and you would know that it is me and also the signature is legally binding. Regards Stefan