Robot CA at toehold.com

Michael Nahrath gnupg-users@nahrath.de
Sat Dec 7 14:39:01 2002


Kyle Hasselbacher <kyle@longshot.toehold.com> schrieb am 2002-12-04 20:27
Uhr:

[back to the origin of the tread ...]

> Looking through Google, I found a thread here from a few months back that
> mentions the concept of a "Robot CA".  It's basically certificate authori=
ty
> that verifies only the email address on a key.
>=20
> I've created such a beast.  There's information on it here:
>=20
> http://www.toehold.com/robotca/

> I'm interested to hear opinions on this.  In particular, my robot does no=
t
> do a challenge/response the way it's usually assumed.  It just signs the
> key and sends it to the address in the key ID.  I rely on delivery failur=
e
> to eliminate the bad signatures.

The idea is not that new.

<http://www.trustcenter.de/> have done signings upon nothing but e-mail
verification for years.

They have 5 Signing keys ("Class 0" up to "Class 4") expressing different
depths of identity checking. Class 0 is just for testing purposes and
Class=A04 needed too complicated identity tests, so they don't offer it any
more.

See their Policy=20
<http://www.trustcenter.de/legal/policy/policy_en/tc-trustcenter_zertrichtl=
i
nien_june22002_en.pdf>
or <http://www.trustcenter.de/infocenter/background-infos.htm> to get an
idea about their definition.

Class 1 seems to be exactly what your robot wants to do:

| 4.2 Class 1 certificates
| Class 1 certificates always contain an e-mail address. Class 1
| certificates confirm that the stated e-mail address existed at the time o=
f
| application=A0and that the owner of the public key had access to this e-mai=
l
| address.=20
| Class 1 certificates provide very little authentication of the identity o=
f
| the certificate holder. Except from the existence and the accessibility o=
f
| the e-mail address, no data contained in the certificate is being checked=
.

As far as I can see they don't offer OpenPGP signings any more, at least
they don't advert it on the website. Otherwise I might have tested the
precedure.

Greeting, Michi

P.S.: As there have been discussions about ways to identify yourself to a
website by your key in this thread:

They use an interesting solution for a website login based upon the ability
to sign with a certain key:
Go to <http://www.trustcenter.de/certservices/search/en/en.htm> and activat=
e
the link "> Closed User Groups (PGP Certificate required)".

They provide a random number. Clearsigning it with a key they have in their
database prooves that you have legitime access to that database.=20