Robot CA at toehold.com
Sun Dec 8 20:27:01 2002
Jason Harris <email@example.com> schrieb am 2002-12-08 19:12 Uhr:
> I (0xD39DA0E3) signed Kyle's personal (0x2A94C484) and robot (0xC521097E)
> keys with 0x11/persona signatures because I established that the keys
> were linked to their specified email/web addresses.
Personally I find this insufficient, at least as long as
0x2A94C484> does not display that this was just meant as a "weak signature"
and GPG inherits trust on these signatures as it does for all others.
Do you intend to give a "sig!1" to everybody who ever answered to an
encrypted e-mail you sent to them? They all prooved that their e-mail
address is valid.
> If anyone wants to see keyanalyze reports without PGP CA keys being
> included, the first step is identifying them. So far, I know about
> Thawte Freemail (0x5AC41CB9, 0xDE46F54F, 0x6BE9A169, 0x066E6D90,
> 0x3CE4352F, 0xAD26F8E6, 0xFE77B6E1, 0x1811465A, 0x663D3B3F, 0x6F79AC0C,
> 0x86EE189C), ct magazine (0xB3B2A12C), and Robot CA (0xC521097E,
> 0x8A7C07CD). trustcenter.de, DFN-PCA, and arcanus.com/arcanvs.com
> are some others that spring to mind. Some signatures from some of
> these keys are backed up by in-person identity checks, though.
That is the big danger I see in calling a service that signs allmost for
nothing a "CA". It devalues the real CAs that do check the identity of the
signed very thoroughly if they all get mixed up.
ct magazine and DFN-PCA have strong policies about this (at least for those
I have read them).
If one begins to treat them like any homegrown e-mail validation service, it
may ruin all the good they have done to build up the strong web of trust we
> NB: Watch your followups.
Sorry, I don't undestand what you mean by this.
Is there something formally incorrect with my mails?