Robot CA at

David Shaw
Mon Dec 9 03:10:02 2002

On Sun, Dec 08, 2002 at 07:15:20PM -0600, Richard Laager wrote:

> > However, having random people sign the robot's key - which allows
> > people to gain trust *through* the robot does nothing but harm the
> > web of trust for no real benefit.  Since the robot works perfectly
> > well without collecting signatures on its own key, those signatures
> > should be discouraged.
> How does signing the robot's key allow people to gain trust through
> the robot? If we were talking about people, instead of robots, here's
> how I'm interpreting what you're saying:
> 1. Alice signs Bob's key and sets his ownertrust to full.
> 2. Bob signs Charlie's key. Alice can now be sure she's dealing with
> Charlie's authentic key because she trusts Bob. (This is the basic
> ownertrust principle.)
> 3. Charlie signs David's key.
> Does this mean Alice can be sure she's dealing with the authentic key
> of David? No. Bob can, IF he trusts Charlie. For Alice to be sure
> she's working with David's authentic key, she needs to trust Bob to
> make "trusted introducer" signatures.

Quite right, but only on paper.  Unfortunately, people treat the web
of trust as gospel.  Many Alices would treat David's key as trusted
because there is A path, rather than because there is a GOOD path.

This is nonsense of course, but pervasive nonsense.  I don't believe
in catering to nonsense in general, but I do keep it in mind.

Let me turn the question around and ask "what benefit is derived by
someone other than the robot operator signing the robot key?"

> Is this a problem? I would say so. I don't want to trust all of his
> (or anybody else's) signature levels the same. But, is this Jason's
> fault for making the signature. No. He's acting within his set policy
> for giving 0x11 signatures. I think this is an issue with the OpenPGP
> user agent, in this case GPG.

The problem here is not the lack of fine control over trust in GnuPG.
The problem is the lack of fine control in *all* OpenPGP clients.
Even if/when I add the code to do this in GnuPG, it doesn't address
PGP... if you follow the logic available to a PGP user who can't
discriminate between signature types, discarding that weak 0x11
signature also means that he can't trust Jason's key at all.  That's
unfortunate, so I pointed it out.  If Jason wants to do it anyway,
hey, it's his key and his reputation.  OpenPGP puts all trust control
in the hands of the end user, so it's certainly not up to me whether
his key should be trusted or not by anyone other than myself.

> I've always wanted to see a feature in GPG that would let me decide
> on a per-key AND per-signature type level the amount of trust to
> give. I want to be able to encode something like this: "I want keys
> signed by the Robot CA, the Thawte Freemail keys, and the TC
> TrustCenter Class 1 keys to be marginally trusted as valid keys
> (unless another rule applies more trust) with no ownertrust." I
> realize this is not simple to codify by any means. I wish I was
> familiar with the GPG internals, so that I could start coding this.
> But, alas, I'm not.

I was the person who added signature types to GnuPG back in 1.0.7.  My
intent at the time was to do a few releases with them as they stand
now to get more typed signatures out in the wild, and then add the
sort of functionality that you describe.  Since then, I've had more
than a few moments wondering whether this is a bad idea.  The factors
are, as always, usability and PGP.  The usability factor says don't
make using GnuPG more complex which will chase people away.  The PGP
factor realizes that PGP is never, ever, going to support this (I'd be
thrilled to be shown wrong, but I'm not holding my breath).  Combine
the two and it comes up as a cool feature that will alienate and harm
more than it benefits.  So a few people get to do a neat trust trick
that they couldn't do before... at the cost of how many people who
don't start using GnuPG at all because there is yet one more
comphrehension barrier to adopting it.  The web of trust is difficult
enough for the beginner to understand already.

All that said, I still plan on doing this some time in 1.3.x, but
it'll be something only the "power user" will ever see.  I'm halfway
regretting having non-power users see the signature levels at all, but
that's done with already.

> I don't care about the impact of signature types on keyanalyze
> reports.

Actually, neither do I.  While I think that people should show some
restraint in issuing persona signatures, I think that once they are
issued they should certainly show up in the keyanalyze reports.
They're a genuine part of the web of trust even if I personally don't
like it, so why hide them?

> I found plenty of people willing to give me 0x11 signatures
> by confirming that I could decrypt encrypted mail to my e-mail
> address. All it would take to get a ton of keys into the strong set
> would be to get a 0x11 signature from someone already in the strong
> set, and then sign every key on a keyserver. One can't place too much
> faith in the "strong set" because all signature types, and more
> importantly, all signers are given the same weight. Furthermore,
> Jason Harris mentioned that keyanalyze doesn't do cryptographic
> verification of signatures. One could easily make a ton of bogus
> signatures and ruin the keyanalyze statistics. The same applies to
> the pathfinder.

Keyanalyze gets it output from GnuPG, if I recall.  GnuPG shows
invalid signatures - does keyanalyze ignore this information?

In any event, I don't really follow your logic here - because the
system is already vulnerable to subversion we don't have to care about
putting poor data in?  Surely not.

> I don't see why GPG needs to
> limit it's (user agent) functionality to match PGP. One can't argue
> that it needs to be done for compatibility, because PGP will continue
> to handle trust issues as it does now.

There are in fact several places where GnuPG design is influenced to
be compatible with PGP, and places where the PGP design is influenced
to be compatible with GnuPG (this wasn't always true, but the new PGP
company has been quite good at fixing interoperability problems
reported to them) This is true even in places where the OpenPGP
standard doesn't dictate behavior either way.  We all have to work
together, or what is the point of standards in the first place?


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson