Robot CA at

Jason Harris
Sun Dec 8 23:19:05 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


On Sun, Dec 08, 2002 at 08:26:06PM +0100, Michael Nahrath wrote:
> Jason Harris <> schrieb am 2002-12-08 19:12 Uhr:
> > I (0xD39DA0E3) signed Kyle's personal (0x2A94C484) and robot (0xC521097=
> > keys with 0x11/persona signatures because I established that the keys
> > were linked to their specified email/web addresses.
> Personally I find this insufficient, at least as long as
> <
> 0x2A94C484> does not display that this was just meant as a "weak signatur=

Notice the 0x11 on the line with my signature - that is the sigclass.

> and GPG inherits trust on these signatures as it does for all others.

> Do you intend to give a "sig!1" to everybody who ever answered to an
> encrypted e-mail you sent to them? They all prooved that their e-mail
> address is valid.

Not at all; I only do so when I have a good reason.

> > If anyone wants to see keyanalyze reports without PGP CA keys being
> > included, the first step is identifying them.  So far, I know about
> > Thawte Freemail (0x5AC41CB9, 0xDE46F54F, 0x6BE9A169, 0x066E6D90,

> ct magazine and DFN-PCA have strong policies about this (at least for tho=
> I have read them).=20
> If one begins to treat them like any homegrown e-mail validation service,=
> may ruin all the good they have done to build up the strong web of trust =
> have now.

Right.  I wasn't passing judgement on any PGP CA.

On Sun, Dec 08, 2002 at 09:39:36PM +0100, Michael Nahrath wrote:
> Kyle Hasselbacher <> schrieb am 2002-12-08
> 20:24 Uhr:
> It is hard because those connections _have_ to be strong. Rather have a l=
> of people unconnected (which simply expresses the truth) than lowering the
> meaning of signatures.
> Weak connections are SPAM to the web of trust.

Please keep in mind that keyanalyze doesn't cryptographically verify
any signatures, such is the domain of GPG.

> 'persona'-signatures might be a solutions but we don't have the adequate
> software to treat 'weak signatures' yet.
> What you need is a validating keyserver!
> Current keyserver take and store each key they get, without any tests.
> Imagine a new generation net of keyservers that don't incorporate keys to
> their database before they have proove that at least the e-mail address
> belongs to the key owner!

Nice idea, but now you're placing too much emphasis on email addresses.
How do you allow for anonymity (and changing email addresses)?

> No signatures are given by the robot for this e-mail verification.
> Geting listed on such a keyserver is proof enough.
> Check out what happens if you want to upload your key to for
> an example (they don't have expiration yet)!

This helps make sure that people are contactable via email (for
keysignings) and control the keys being listed, which is most
helpful for this type of application.

Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it? | web:

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (FreeBSD)