Robot CA at toehold.com
Sat Dec 7 14:39:01 2002
Kyle Hasselbacher <firstname.lastname@example.org> schrieb am 2002-12-04 20:27
[back to the origin of the tread ...]
> Looking through Google, I found a thread here from a few months back that
> mentions the concept of a "Robot CA". It's basically certificate authori=
> that verifies only the email address on a key.
> I've created such a beast. There's information on it here:
> I'm interested to hear opinions on this. In particular, my robot does no=
> do a challenge/response the way it's usually assumed. It just signs the
> key and sends it to the address in the key ID. I rely on delivery failur=
> to eliminate the bad signatures.
The idea is not that new.
<http://www.trustcenter.de/> have done signings upon nothing but e-mail
verification for years.
They have 5 Signing keys ("Class 0" up to "Class 4") expressing different
depths of identity checking. Class 0 is just for testing purposes and
Class=A04 needed too complicated identity tests, so they don't offer it any
See their Policy=20
or <http://www.trustcenter.de/infocenter/background-infos.htm> to get an
idea about their definition.
Class 1 seems to be exactly what your robot wants to do:
| 4.2 Class 1 certificates
| Class 1 certificates always contain an e-mail address. Class 1
| certificates confirm that the stated e-mail address existed at the time o=
| application=A0and that the owner of the public key had access to this e-mai=
| Class 1 certificates provide very little authentication of the identity o=
| the certificate holder. Except from the existence and the accessibility o=
| the e-mail address, no data contained in the certificate is being checked=
As far as I can see they don't offer OpenPGP signings any more, at least
they don't advert it on the website. Otherwise I might have tested the
P.S.: As there have been discussions about ways to identify yourself to a
website by your key in this thread:
They use an interesting solution for a website login based upon the ability
to sign with a certain key:
Go to <http://www.trustcenter.de/certservices/search/en/en.htm> and activat=
the link "> Closed User Groups (PGP Certificate required)".
They provide a random number. Clearsigning it with a key they have in their
database prooves that you have legitime access to that database.=20