Robot CA at toehold.com
Michael Nahrath
gnupg-users@nahrath.de
Sun Dec 8 21:39:02 2002
Kyle Hasselbacher <kyle-list-gpguser@toehold.com> schrieb am 2002-12-08
20:24 Uhr:
>> If a robot CA must be done, and I do see some limited benefits to it,
>> it must not become a free pass into the web of trust strong set. That
>> hurts all of the users of OpenPGP.
>
> I think including more people in the web of trust is a good thing. Part of
> my motivation for creating this is that I saw so many keys which I thought
> were good but which had no solid trustworthy connection to anything. The
> reason they had no connection is that making the connection is hard.
It is hard because those connections _have_ to be strong. Rather have a lot
of people unconnected (which simply expresses the truth) than lowering the
meaning of signatures.
Weak connections are SPAM to the web of trust.
> I WANT to lower the barrier of entry.
... accepting that you might ruin it that way?
(Mainly a question. I haven't come to a conclusion yet.)
> I agree that it's sort of a "back door" into the web, and the unwary may
> place too much faith in a path that is really weak, but the path is clearly
> marked. I think part of the problem is that WoT implementations treat all
> classes of signatures the same--that is, the robot's lame "persona"
> signature is just as strong as signatures made with a personal meeting.
> Everyone is either in the web or out. It doesn't allow for the "half-way
> in" kind of trust the robot provides.
Even if GPG, PGP and HKP where updated immediately with such a feature
it would take years untill most people had the ability to recognize the
weakness of a robot signature.
People simply don't update their softway as fast as you may wish.
I have thought it over:
Originally you where looking for a way to enable client software to
pre-check the mail-address in a reciepient's key.
Therefore you want to have keys pre-validated by an e-mail validating robot.
That far it is OK. It doesn't raise security in any way but it may raise
comfort for the users of that specific client software.
Expressing the sucessfull check by adding a robot's signature to the key
is not the right way because this is not what signing should be about.
'persona'-signatures might be a solutions but we don't have the adequate
software to treat 'weak signatures' yet.
What you need is a validating keyserver!
Current keyserver take and store each key they get, without any tests.
Imagine a new generation net of keyservers that don't incorporate keys to
their database before they have proove that at least the e-mail address
belongs to the key owner!
Keys should even expire from their database automatically if they are not
confirmed after a certain period of time.
No signatures are given by the robot for this e-mail verification.
Geting listed on such a keyserver is proof enough.
Check out what happens if you want to upload your key to biglumber.com for
an example (they don't have expiration yet)!
If your to-be-written client software only connects to those 'validating
keyservers' you have anything you need to protect granny from sending e-mail
to non existing mail addresses.
And the web of trust might stay what it is meant to:
A strong web built upon strong connections only.
Greeting, Michi