Robot CA at toehold.com

[Michael Nahrath]

Jason Harris <jharris@widomaker.com> schrieb am 2002-12-08 19:12 Uhr:

> I (0xD39DA0E3) signed Kyle's personal (0x2A94C484) and robot (0xC521097E)
> keys with 0x11/persona signatures because I established that the keys
> were linked to their specified email/web addresses.

Personally I find this insufficient, at least as long as
<http://keyserver.kjsl.com:11371/pks/lookup?op=vindex&fingerprint=on&search=
0x2A94C484> does not display that this was just meant as a "weak signature"
and GPG inherits trust on these signatures as it does for all others.

Do you intend to give a "sig!1" to everybody who ever answered to an
encrypted e-mail you sent to them? They all prooved that their e-mail
address is valid.

> If anyone wants to see keyanalyze reports without PGP CA keys being
> included, the first step is identifying them.  So far, I know about
> Thawte Freemail (0x5AC41CB9, 0xDE46F54F, 0x6BE9A169, 0x066E6D90,
> 0x3CE4352F, 0xAD26F8E6, 0xFE77B6E1, 0x1811465A, 0x663D3B3F, 0x6F79AC0C,
> 0x86EE189C), ct magazine (0xB3B2A12C), and Robot CA (0xC521097E,
> 0x8A7C07CD).  trustcenter.de, DFN-PCA, and arcanus.com/arcanvs.com
> are some others that spring to mind.  Some signatures from some of
> these keys are backed up by in-person identity checks, though.

That is the big danger I see in calling a service that signs allmost for
nothing a "CA". It devalues the real CAs that do check the identity of the
signed very thoroughly if they all get mixed up.

ct magazine and DFN-PCA have strong policies about this (at least for those
I have read them). 
If one begins to treat them like any homegrown e-mail validation service, it
may ruin all the good they have done to build up the strong web of trust we
have now.

> NB:  Watch your followups.

Sorry, I don't undestand what you mean by this.
Is there something formally incorrect with my mails?

Greeting, Michi