Semi-automated trust, policy (was: Robot CA...)

Toxik - Fabian Rodriguez
Fri Dec 6 17:09:02 2002

Hash: SHA1


It's interesting to see all the discussion the robot CA generates. I
think I would use that kind of tool to spread trust and better
educate users about signatures, procedures to check trust, etc.

For example, I see this in a semi-automated environment, where
*customers* are signed after manual verification by a business, but
via a web interface tied to the CA-robot - for free. Thawte's certs
are generated in a similar context/process. Our policy page would
explain that we only sign our customers keys with our business key.
When somebody / an organization becomes our customer, there's a
certain level of verification done (credit card, address, phone,
personal meetings, etc.). Why not add OpenPGP "notarization" for free
? We could also sign individuals keys on a personal basis, but the
policy URLs would always explain under what conditions. At Toxik we
already do that in a limited way, our site will reflect it in the
next few weeks.

Encouraging other sites to *copy* the content and reproduce a
signature/verification setup would then help spread use of personal
crypto, but only if it's used in every single business message. For
example, CIRA (, the Canadian organization responsible
for .CA domains signs each and every message with PGP.

A job we can all start doing already is writing to all
companies/organizations that have PGP information on their site to
also link to GnuPG's front-ends page, and update their terminology to
use "OpenPGP" instead. Some examples to start:

I think business use is only an extension of OpenPGP use, but
ultimately it has a great influence on personal use. Of course there
are other ways. ;)


Fabian Rodriguez - Toxik Technologies, Inc. - (514) 528-6945 @221
OpenPGP: 0x5AF2A4D5 

Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.92-cvs