Robot CA at

Adrian 'Dagurashibanipal' von Bidder
Sun Dec 8 16:06:02 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2002-12-08 at 13:22, David Shaw wrote:

> Which raises an interesting question.  Should people (real people, not
> other robots) sign the robot's key.  I strongly feel the best answer
> here is "no".  There is no need to - the robot is a CA and has that
> authority with or without such signatures.  Signing a robot key also
> encourages people who don't need to use this system to use it anyway
> because it hooks them into the web of trust via a weakly-checked back
> door.

Hmmm. Collecting signatures on a key is collecting trust. Personally, I
do sign keys of CAs I trust (with a policy URL with a statement how much
I trust them). So, if I'd trust a robotCA and I encounter people whith
robot-CA-signed keys (where I can't establish trust through better
ways), I will trust the robotCAs key.

When I see a CA key and I see that some famous people (in my case, this
would mean gpg-wise or Debian-wise) have signed that CAs key, I'm
inclined to trust their business as serious. When I see a CAs key and
virtually nobody has signed the key, I start to wonder...

-- vbi

this email is protected by a digital signature:

NOTE: keyserver bugs! get my key here:

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.1 (GNU/Linux)

Signature policy: