Semi-automated trust, policy (was: Robot CA...) (fwd)

Kyle Hasselbacher kyle@toehold.com
Fri Dec 6 20:38:02 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Dec 06, 2002 at 11:08:56AM -0500, Toxik - Fabian Rodriguez wrote:

>For example, I see this in a semi-automated environment, where
>*customers* are signed after manual verification by a business, but
>via a web interface tied to the CA-robot - for free. Thawte's certs
>are generated in a similar context/process. Our policy page would
>explain that we only sign our customers keys with our business key.
>When somebody / an organization becomes our customer, there's a
>certain level of verification done (credit card, address, phone,
>personal meetings, etc.). Why not add OpenPGP "notarization" for free
>? We could also sign individuals keys on a personal basis, but the
>policy URLs would always explain under what conditions. At Toxik we
>already do that in a limited way, our site will reflect it in the
>next few weeks.

This makes me want to go sit at my local cyber cafe with a big sign on my
head that reads "I sign PGP keys" just on the off chance that some other
patron is a user.  Or maybe the proprieter could be talked into becoming a
CA, and advertising the fact.  But I digress.

Back to the robot, if people have keys signed by it, then there's a mapping
between a key and an email address.  Then the email address can be an
easier "fingerprint" for a user.  Granny can tell me her email address in
person, but she can't remember (or even figure out) her fingerprint.  If I
look up keys with that email address and find one that's robot-verified, I
may feel confident enough to sign it myself based on that.  A business that
has checked my ID and asked me my email address could do the same thing.

I don't know if this is what you were saying in the first place.  If so, I
just had to restate it to get it clear in my head.
- - -- 
Kyle Hasselbacher | The hardest lesson to learn is that learning is
kyle@toehold.com  | a continual process. -- David Gerrold
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE98PyR10sofiqUxIQRAvLJAKCDAuHV64jSgBEinmLCHD9fluE9VACfROoX
ppgdvrKjK6WxKbS3cu2mXu4=
=DRN4
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE98Pzo10sofiqUxIQRAlaBAJ4z11riHofYJz11P5kOeTO2qE4mrgCeLRQk
dCo87zeNeNJ3O4+17zdKZWI=
=cTo1
-----END PGP SIGNATURE-----