AW: Robot CA at toehold.com
Fri Dec 6 17:36:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, Dec 06, 2002 at 10:38:01AM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
>Yes. IMHO the robotCA should
> - only sign uids consisting of an email adress *only* (no realname, no
>comment). Yes, people would have to get an additional uid, so what. But
>then anyone looking at the key can see what was certified.
> - with 0x11 signature (I see you're going to do that, good).
> - add a policy URL
> - have, as Ralf said, a uid comment warning that only the email address
>has been checked on the signing key.
If I never sign a UID with a real name or comment (only email address),
then I don't need to yell so loud (or at all) that that's all I'm
checking--that's all there is to check.
The down side to doing that is, there aren't so many keys that have just
that. People have to make a special UID to get signed. I'd rather work
with what's there now. That having been said, I certainly see the security
advantage to doing it your way.
Ultimately I'd like to be merely the first of many robot CAs that run. If
others want to have a different (better?) policy on what they sign, I'd
>Of course, requirements here are
> - a db of the uids that have been signed.
> - publication of the key with revoked signatures.
If I keep a list of UIDs that I've signed, I'd have to check the key
servers to see which actually have my signature before I start challenging
them. Just a detail.
Kyle Hasselbacher Hackers do it with all sorts of characters.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----