The trouble with cacert and other similar web-of-trust schemes is that they confuse different sorts of trust. Even if ten or even a thousand people have checked that someone claiming to be Dr Evil really is Dr Evil, it doesn't follow that Dr Evil's claims about the identity of another individual should be believed.
Web-of-trust schemes which do not recognise this distinction will be vulnerable to an exploit whereby "verified-identity" can be elevated to "presumed-reliable-authenticator".
The bottom of this page from CAcert's FAQ seems to admit that their scheme is vulnerable to such an exploit.
Slashdot Mirror
If you get a flat, do you get A flat?
The trouble with cacert and other similar web-of-trust schemes is that
they confuse different sorts of trust. Even if ten or even a thousand
people have checked that someone claiming to be Dr Evil really is Dr
Evil, it doesn't follow that Dr Evil's claims about the identity of
another individual should be believed.
Web-of-trust schemes which do not recognise this distinction will be
vulnerable to an exploit whereby "verified-identity" can be elevated
to "presumed-reliable-authenticator".
The bottom of this page from CAcert's FAQ seems to admit that
their scheme is vulnerable to such an exploit.