Robot CA at toehold.com

Kyle Hasselbacher kyle@toehold.com
Thu Dec 5 18:29:01 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Dec 05, 2002 at 11:13:27AM -0500, David Shaw wrote:
>On Thu, Dec 05, 2002 at 02:09:58PM +0100, Michael Nahrath wrote:
>
>> Verifying nothing but mail adresses can be valid for a limited time.
>> Mail addresses cange more often than real-life-identities.
>> Your signature should reflect this in some way.
>> 
>> Either you give signatures that expire after a certain time (eg 6 months).
>> I don't know if this is possible and if it doesn't raise a bunch of
>> compatibility problems.
>> Or you let the signing key expire (eg after 1 year).
>
>Better to expire the signatures themselves.  If you expire your
>signing key, then everyone will have to get their key re-signed.

I wanted to make signatures that expire, but I didn't see an obvious way to
do it with GnuPG.  If the key itself expires, it gives you the option of
expiring your signature at the same time (and the robot does that), but I
didn't see a way to set an arbitrary expiration date for a signature.

I considered having the robot's key expire periodically, but I decided
against it.

>Note also that OpenPGP defines multiple signature verification
>levels.  I've argued in the past, and continue to argue now that any
>automated signer should use 0x11 "persona" signatures as a hint that
>this is an unusual signature.

I made this an option in the robot's config file.  Mine makes normal
signatures right now only because I couldn't decide on 1 or 2.  I agree
that this would be a good way to flag it as an unusual signature.
- -- 
Kyle Hasselbacher | "There's no trick to being a humorist when you have the
kyle@toehold.com  |  whole government working for you."  -- Will Rogers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9740l10sofiqUxIQRAuxLAJ9loaI70saI/jU7DrC/juEYqf1NtwCgwz/b
dsjhB5NoYeyn2T9Q65qXAm4=
=YGYW
-----END PGP SIGNATURE-----