Robot CA at toehold.com
Sun Dec 8 13:22:02 2002
On Fri, Dec 06, 2002 at 10:18:17PM -0600, Kyle Hasselbacher wrote:
> David Shaw wrote:
> > On Fri, Dec 06, 2002 at 01:21:58PM -0600, Kyle Hasselbacher wrote:
> > > If I see a key that's not mine that IS signed by the robot, then I
> > > know that someone else has access to my email. That's a big
> > > improvement over them reading my mail without me knowing. The
> > > action I can take when I find out is the same--get another email
> > > address. Without knowing, I take no action, and the snooping
> > > continues.
> > That's cheating a little bit - you're promoting this to make crypto
> > simpler for Granny. Granny won't know what on earth it means to have
> > multiple signed keys. Plus, it's going to be a VERY common case to
> > have multiple signed keys by the robot. It happens every day that
> > someone makes a key, sends it to the keyserver, and then forgets the
> > passphrase so they have to make a new one. Some people have 4-5 dead
> > keys on the keyservers that they can't get rid of.
> I hadn't considered that people would have multiple legitimately signed
> keys. The problem will be mitigated by expiring signatures (this makes me
> want to expire them faster), but it'll probably still happen a lot (with
> people installing multiple email clients and whatnot).
> You could automate the check for multiple signed keys. When it turns up,
> explain to the user what it means, and what it MAY mean. If they choose
> "ignore it", then remember the extra key you saw, and pop the dialog again
> only if ANOTHER key shows up. We can have as many dead keys as we want on
> the "don't care" list.
> People who ignore real attacks are (again) no worse off than if they had no
> crypto, except maybe that they're annoyed by perplexing questions. What
> bothers me is people who take action against a false positive. They
> generated two keys without knowing it, but they think the big bad
> postmaster is out to get them.
> That's a tough one.
It's worse actually, since multiple signed keys isn't even really an
exception. I can point to dozens of people who have multiple keys
with the same email address for "non-error" reasons:
1) People who have a "main key" (presumably offline) and a "laptop
2) People who keep around a PGP 2.6.x key as well as an OpenPGP key.
> I think as long as there are some cases where we encrypt productively when
> we would not have before, it's victory. If I fail totally to encrypt when
> there are multiple signed keys, or when there's a legitimate key that's not
> signed, that won't bother me. These are users who previously would have
> never encrypted anyway.
It is interesting to me that this design discourages encrypted
communication between Granny and OpenPGP-savvy users (who are far more
likely to have multiple keys than the average population).
> FYI, I've only signed keys of people I know personally.
Which raises an interesting question. Should people (real people, not
other robots) sign the robot's key. I strongly feel the best answer
here is "no". There is no need to - the robot is a CA and has that
authority with or without such signatures. Signing a robot key also
encourages people who don't need to use this system to use it anyway
because it hooks them into the web of trust via a weakly-checked back
If a robot CA must be done, and I do see some limited benefits to it,
it must not become a free pass into the web of trust strong set. That
hurts all of the users of OpenPGP.
David Shaw | email@example.com | WWW http://www.jabberwocky.com/
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson