Robot CA at toehold.com
Michael Nahrath
gnupg-users@nahrath.de
Thu Dec 5 14:09:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kyle Hasselbacher <kyle@longshot.toehold.com> schrieb am 2002-12-04 20:27
Uhr:
=20
> Looking through Google, I found a thread here from a few months back that
> mentions the concept of a "Robot CA". It's basically certificate authori=
ty
> that verifies only the email address on a key.
>=20
> I've created such a beast. There's information on it here:
>=20
> http://www.toehold.com/robotca/
> I'm interested to hear opinions on this.
Sorry I don't have time for deeper testing. Looks quite interesting.
Here just some short ideas after a first glimpse:
Important:
Verifying nothing but mail adresses can be valid for a limited time.
Mail addresses cange more often than real-life-identities.
Your signature should reflect this in some way.
Either you give signatures that expire after a certain time (eg 6 months).
I don't know if this is possible and if it doesn't raise a bunch of
compatibility problems.
Or you let the signing key expire (eg after 1 year).
Important:
IMHO one encrypted communication path is mandatory. That would verify that
the holder of the mail address is also in posess of the secret key and the
passphrase.
=20
Enhancement:
Not everybody will want your robot to sign all UIDs.
OK, they don't need to import all the signatures
but some easier way to choose would be preferable.
At least you might provide advice haow to export ones key striped to one
UID from a local GPG installation before sending it to the robot.
Another way of reducing the load and traffic was to reduce signing only to
mail adresses that are the Sender of the mail that sends the key.
That idea conflicts with the cgi-interface as it makes the ability to
_send_ mail from an address another verification critereia.
Cosmetical:
Rather include a
RedirectPermanent /robotCA http://www.toehold.com/robotca
RedirectPermanent /RobotCA http://www.toehold.com/robotca
to your website's .htaccess file. This will be a common mistyping :-)
=20
Greeting, Michi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.1 (Darwin)
iD8DBQE971Aw19dRf5pMcEwRAslJAKDA8ifcouaFee4ajS5u1WIjyIIymwCdE2fw
3LPgTnOPoYn6plXr0qLjclY=3D
=3D7VS6
-----END PGP SIGNATURE-----he S=9D?=18reco=02ktxtTEXT=08=80-----BEGIN PGP SIGNED ME