Robot CA at

David Shaw
Sun Dec 8 13:22:02 2002

On Fri, Dec 06, 2002 at 10:18:17PM -0600, Kyle Hasselbacher wrote:
> David Shaw wrote:
> > On Fri, Dec 06, 2002 at 01:21:58PM -0600, Kyle Hasselbacher wrote:
> > > If I see a key that's not mine that IS signed by the robot, then I
> > > know that someone else has access to my email.  That's a big
> > > improvement over them reading my mail without me knowing.  The
> > > action I can take when I find out is the same--get another email
> > > address.  Without knowing, I take no action, and the snooping
> > > continues.
> >
> > That's cheating a little bit - you're promoting this to make crypto
> > simpler for Granny.  Granny won't know what on earth it means to have
> > multiple signed keys.  Plus, it's going to be a VERY common case to
> > have multiple signed keys by the robot.  It happens every day that
> > someone makes a key, sends it to the keyserver, and then forgets the
> > passphrase so they have to make a new one.  Some people have 4-5 dead
> > keys on the keyservers that they can't get rid of.
> I hadn't considered that people would have multiple legitimately signed
> keys.  The problem will be mitigated by expiring signatures (this makes me
> want to expire them faster), but it'll probably still happen a lot (with
> people installing multiple email clients and whatnot).
> You could automate the check for multiple signed keys.  When it turns up,
> explain to the user what it means, and what it MAY mean.  If they choose
> "ignore it", then remember the extra key you saw, and pop the dialog again
> only if ANOTHER key shows up.  We can have as many dead keys as we want on
> the "don't care" list.
> People who ignore real attacks are (again) no worse off than if they had no
> crypto, except maybe that they're annoyed by perplexing questions.  What
> bothers me is people who take action against a false positive.  They
> generated two keys without knowing it, but they think the big bad
> postmaster is out to get them.
> That's a tough one.

It's worse actually, since multiple signed keys isn't even really an
exception.  I can point to dozens of people who have multiple keys
with the same email address for "non-error" reasons:

1) People who have a "main key" (presumably offline) and a "laptop

2) People who keep around a PGP 2.6.x key as well as an OpenPGP key.

> I think as long as there are some cases where we encrypt productively when
> we would not have before, it's victory.  If I fail totally to encrypt when
> there are multiple signed keys, or when there's a legitimate key that's not
> signed, that won't bother me.  These are users who previously would have
> never encrypted anyway.

It is interesting to me that this design discourages encrypted
communication between Granny and OpenPGP-savvy users (who are far more
likely to have multiple keys than the average population).

> FYI, I've only signed keys of people I know personally.

Which raises an interesting question.  Should people (real people, not
other robots) sign the robot's key.  I strongly feel the best answer
here is "no".  There is no need to - the robot is a CA and has that
authority with or without such signatures.  Signing a robot key also
encourages people who don't need to use this system to use it anyway
because it hooks them into the web of trust via a weakly-checked back

If a robot CA must be done, and I do see some limited benefits to it,
it must not become a free pass into the web of trust strong set.  That
hurts all of the users of OpenPGP.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson