Robot CA at

Michael Nahrath
Sat Dec 7 14:39:01 2002

Kyle Hasselbacher <> schrieb am 2002-12-04 20:27

[back to the origin of the tread ...]

> Looking through Google, I found a thread here from a few months back that
> mentions the concept of a "Robot CA".  It's basically certificate authori=
> that verifies only the email address on a key.
> I've created such a beast.  There's information on it here:

> I'm interested to hear opinions on this.  In particular, my robot does no=
> do a challenge/response the way it's usually assumed.  It just signs the
> key and sends it to the address in the key ID.  I rely on delivery failur=
> to eliminate the bad signatures.

The idea is not that new.

<> have done signings upon nothing but e-mail
verification for years.

They have 5 Signing keys ("Class 0" up to "Class 4") expressing different
depths of identity checking. Class 0 is just for testing purposes and
Class=A04 needed too complicated identity tests, so they don't offer it any

See their Policy=20
or <> to get an
idea about their definition.

Class 1 seems to be exactly what your robot wants to do:

| 4.2 Class 1 certificates
| Class 1 certificates always contain an e-mail address. Class 1
| certificates confirm that the stated e-mail address existed at the time o=
| application=A0and that the owner of the public key had access to this e-mai=
| address.=20
| Class 1 certificates provide very little authentication of the identity o=
| the certificate holder. Except from the existence and the accessibility o=
| the e-mail address, no data contained in the certificate is being checked=

As far as I can see they don't offer OpenPGP signings any more, at least
they don't advert it on the website. Otherwise I might have tested the

Greeting, Michi

P.S.: As there have been discussions about ways to identify yourself to a
website by your key in this thread:

They use an interesting solution for a website login based upon the ability
to sign with a certain key:
Go to <> and activat=
the link "> Closed User Groups (PGP Certificate required)".

They provide a random number. Clearsigning it with a key they have in their
database prooves that you have legitime access to that database.=20