Robot CA at

David Shaw
Thu Dec 5 14:43:01 2002

On Wed, Dec 04, 2002 at 01:27:49PM -0600, Kyle Hasselbacher wrote:
> Hash: SHA1
> Looking through Google, I found a thread here from a few months back that
> mentions the concept of a "Robot CA".  It's basically certificate authority
> that verifies only the email address on a key.
> I've created such a beast.  There's information on it here:
> Perl source is available.  I also wrote a more descriptive article for
>, which you can find here:
> I'm interested to hear opinions on this.  In particular, my robot does not
> do a challenge/response the way it's usually assumed.  It just signs the
> key and sends it to the address in the key ID.  I rely on delivery failure
> to eliminate the bad signatures.

I think this is not terribly safe - as "postmaster" for a few sites, I
know that I get a lot of bounces that would surprise the users the
mail was intended for.  An unscruplous postmaster could also get the
signed keys from the mail spool and abuse them.  The only way to be
totally safe is to never generate a signature unless you intend it to
be used.

I actually started setting up a similar robot at,
but I've almost persuaded myself (after arguing the other side for a
while) that there is no point in such a service.  You can get a
reasonable binding between key and email address, but how useful is
that in the real world?  Remember that the usual real-world binding is
between key and *person* (hence checking fingerprints in person, etc).

It comes down to this: I am a person who wants to encrypt a message to
Alice.  I get her key from the keyserver.  Assume for the sake of
argument that I don't have a strong key<->person trust path to her, so
this weaker key<->email path is a possibility.

Two possibilities then:

1) Alice's key does have such a signature, so I go ahead and send my
   encrypted mail to her.

2) Alice's key doesn't have such a signature, so I don't know if the
   email address has been verified... but I don't care; If the person
   behind the email address does not have access to the key, they
   won't be able to read the encrypted message I just sent them

Where's the benefit?  If it was guaranteed that ALL keys would have
such a signature then there is the traffic analysis benefit of never
sending a message like in the second example.  However, in the real
world there is no such guarantee.

I'm not dismissing the idea (it's interesting engineering one of these
things, and I've done it myself as well), but I'm having problems
seeing how it's useful in the real world.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson