Robot CA at toehold.com

[Adrian 'Dagurashibanipal' von Bidder]

--=-oV97JOePGd040p+BeFte
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2002-12-08 at 13:22, David Shaw wrote:

> Which raises an interesting question.  Should people (real people, not
> other robots) sign the robot's key.  I strongly feel the best answer
> here is "no".  There is no need to - the robot is a CA and has that
> authority with or without such signatures.  Signing a robot key also
> encourages people who don't need to use this system to use it anyway
> because it hooks them into the web of trust via a weakly-checked back
> door.

Hmmm. Collecting signatures on a key is collecting trust. Personally, I
do sign keys of CAs I trust (with a policy URL with a statement how much
I trust them). So, if I'd trust a robotCA and I encounter people whith
robot-CA-signed keys (where I can't establish trust through better
ways), I will trust the robotCAs key.

When I see a CA key and I see that some famous people (in my case, this
would mean gpg-wise or Debian-wise) have signed that CAs key, I'm
inclined to trust their business as serious. When I see a CAs key and
virtually nobody has signed the key, I start to wonder...

cheers
-- vbi

--=20
this email is protected by a digital signature:  http://fortytwo.ch/gpg

NOTE: keyserver bugs! get my key here: https://fortytwo.ch/gpg/92082481

--=-oV97JOePGd040p+BeFte
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iHMEABECADMFAj3zYB0sGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjIACgkQi6Qxi+Wn99YtmwCfbWD+1WcQ/2nOAzPdTZ0MX0JfvmUA
n1mrpzHezLOD1LG1mqWV4NkUsU5H
=V7TF
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822

--=-oV97JOePGd040p+BeFte--