Semi-automated trust, policy (was: Robot CA...) (fwd)

Kyle Hasselbacher
Fri Dec 6 20:38:02 2002

Hash: SHA1

Hash: SHA1

On Fri, Dec 06, 2002 at 11:08:56AM -0500, Toxik - Fabian Rodriguez wrote:

>For example, I see this in a semi-automated environment, where
>*customers* are signed after manual verification by a business, but
>via a web interface tied to the CA-robot - for free. Thawte's certs
>are generated in a similar context/process. Our policy page would
>explain that we only sign our customers keys with our business key.
>When somebody / an organization becomes our customer, there's a
>certain level of verification done (credit card, address, phone,
>personal meetings, etc.). Why not add OpenPGP "notarization" for free
>? We could also sign individuals keys on a personal basis, but the
>policy URLs would always explain under what conditions. At Toxik we
>already do that in a limited way, our site will reflect it in the
>next few weeks.

This makes me want to go sit at my local cyber cafe with a big sign on my
head that reads "I sign PGP keys" just on the off chance that some other
patron is a user.  Or maybe the proprieter could be talked into becoming a
CA, and advertising the fact.  But I digress.

Back to the robot, if people have keys signed by it, then there's a mapping
between a key and an email address.  Then the email address can be an
easier "fingerprint" for a user.  Granny can tell me her email address in
person, but she can't remember (or even figure out) her fingerprint.  If I
look up keys with that email address and find one that's robot-verified, I
may feel confident enough to sign it myself based on that.  A business that
has checked my ID and asked me my email address could do the same thing.

I don't know if this is what you were saying in the first place.  If so, I
just had to restate it to get it clear in my head.
- - -- 
Kyle Hasselbacher | The hardest lesson to learn is that learning is  | a continual process. -- David Gerrold
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see