Robot CA at toehold.com

Kyle Hasselbacher kyle@toehold.com
Sun Dec 8 22:50:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Dec 08, 2002 at 09:39:36PM +0100, Michael Nahrath wrote:
>Kyle Hasselbacher <kyle-list-gpguser@toehold.com> schrieb am 2002-12-08
>20:24 Uhr:

>> I think including more people in the web of trust is a good thing.  Part of
>> my motivation for creating this is that I saw so many keys which I thought
>> were good but which had no solid trustworthy connection to anything.  The
>> reason they had no connection is that making the connection is hard.
>
>It is hard because those connections _have_ to be strong. Rather have a lot
>of people unconnected (which simply expresses the truth) than lowering the
>meaning of signatures.

I think the only keys that should not be in the web of trust are the ones
that are totally bogus, through and through.  Being able to express weak
connections expresses the truth--that I have a little trust, but not
absolute trust, that I know something, but not everything.  If Alice gets
in, but I can see that no one is REALLY sure about it, that still tells me
more than if she doesn't get in at all.

>Weak connections are SPAM to the web of trust.

I think they're details.  They express a truth that was not expressable
before.  It's not noise; it's just not as good as other signals.

>> I WANT to lower the barrier of entry.
>
>... accepting that you might ruin it that way?
>
>(Mainly a question. I haven't come to a conclusion yet.)

Clearly, I don't believe it will be ruined that way.  8-)  Of course, I
don't want to make the WoT worthless.  I think getting more people in it
makes it more valuable.

>> I agree that it's sort of a "back door" into the web, and the unwary may
>> place too much faith in a path that is really weak, but the path is clearly
>> marked.  I think part of the problem is that WoT implementations treat all
>> classes of signatures the same--that is, the robot's lame "persona"
>> signature is just as strong as signatures made with a personal meeting.
>> Everyone is either in the web or out.  It doesn't allow for the "half-way
>> in" kind of trust the robot provides.
>
>Even if GPG, PGP and HKP where updated immediately with such a feature
>it would take years untill most people had the ability to recognize the
>weakness of a robot signature.
>People simply don't update their softway as fast as you may wish.

That's fine.  There may be a little chaos in the meantime.  The existence
of persona signatures (and people who make them) is an incentive for people
to upgrade.  I'd say since GnuPG already supports making persona
signatures, distinguishing them from harder signatures is a feature that
needs to come next anyway.

>I have thought it over:
>Originally you where looking for a way to enable client software to
>pre-check the mail-address in a reciepient's key.
>
>Therefore you want to have keys pre-validated by an e-mail validating robot.
>That far it is OK. It doesn't raise security in any way but it may raise
>comfort for the users of that specific client software.
>
>Expressing the sucessfull check by adding a robot's signature to the key
>is not the right way because this is not what signing should be about.
>
>'persona'-signatures might be a solutions but we don't have the adequate
>software to treat 'weak signatures' yet.
>
>What you need is a validating keyserver!

Adoption of a validating key server may be faster than adoption of OpenPGP
implementations that recognize persona sigs for what they are.  I don't
mind if that's the right way to go, but, well, I went this other way
already.  8-)

Besides, I think GnuPG needs to understand persona sigs anyway.

It might be almost as easy to make a key server that accepts only keys
signed by the robot, and strips those signatures when exporting them to the
world.  I'm not sure that's an improvement.

>No signatures are given by the robot for this e-mail verification.
>Geting listed on such a keyserver is proof enough.

So, if I get a key through another route, I have to check to see if it's on
the validating key server to know if the email address is valid.  If I'm
offline, I'm just blind.  Not that that will happen much, but it's not a
problem with a robot's signature floating along with the key.

>If your to-be-written client software only connects to those 'validating
>keyservers' you have anything you need to protect granny from sending e-mail
>to non existing mail addresses.
>
>And the web of trust might stay what it is meant to:
>A strong web built upon strong connections only.

I've never thought of the WoT that way.  Fact is, there are jokers out
there who will sign a key at the drop of a hat.  If they've been validated
(no reason not to if they're using their real name), then they're bringing
in people who wouldn't get in otherwise.  It's up to the users to discover
who those jokers are and to distrust their signatures.  The nice thing
about the robot is, it MARKS its signatures as being "a joke."
- -- 
Kyle Hasselbacher
kyle@toehold.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9877g10sofiqUxIQRAi48AJ9+CXaKH7xfVmjAeVg/k41dh4foVgCguyhW
obUwDRIAMR0hVhmAdbJiJPQ=
=3LR6
-----END PGP SIGNATURE-----