Robot CA at

Michael Nahrath
Mon Dec 9 07:22:01 2002

Jason Harris <> schrieb am 2002-12-08 23:19 Uhr:

>> Personally I find this insufficient, at least as long as
>> <
>> does not display that this was just meant as a "weak signature"
> Notice the 0x11 on the line with my signature - that is the sigclass.

Oh nice! I never really noticed that column before.
I must have filtered this as some kind of garbage hex-code.
>> Imagine a new generation net of keyservers that don't incorporate keys to
>> their database before they have proove that at least the e-mail address
>> belongs to the key owner!
> Nice idea, but now you're placing too much emphasis on email addresses.

I thought about an alternative to the mail-adress validating robot that
wouldn't harm the WoT.
What else does the robot check but mail adresses?

> How do you allow for anonymity (and changing email addresses)?

Again: How does Kayle's robot?
>> No signatures are given by the robot for this e-mail verification.
>> Geting listed on such a keyserver is proof enough.
>> Check out what happens if you want to upload your key to for
>> an example (they don't have expiration yet)!
> This helps make sure that people are contactable via email (for
> keysignings) and control the keys being listed, which is most
> helpful for this type of application.

I agree. They need it for enshuring their own communication ways to their
customers and to prevent someone from faking listings for keys that don't
belong to them. They use the private key as a password.

I already cited 
as an example how the same can be reached based upon signing instead of

But I still see no benefit at all for granny if her client only uses weakly
signed keys. It doesn't give her any increase of security against any

Imagine this one: 

I configure an e-mail address <> (happens to be my
domain) and create a new key for "Jason Harris <>".
I let this key be signed by the robotCA. I sign your real key with it and
immediately afterwards I revoke it with the message "DON'T USE THIS KEY ANY
MORE! PLEASE USE $FAKE-KEY INSTEAD!" with $FAKE-KEY being the ID of my key.

I create a website at containing your photo,
introduced as the new employee in the company and my fake-key's fingerprint
on the page that contains your personal contact information.

Then I send a bunch of clearsigned e-mails in your name to the people that
have signed your original key (not to your nearest friends and not to known
security experts of course), telling them how happy you are with your new
job and that they should from now on only use the new mail-address and the
new key.

They will import my key to their GPG or PGP and will see the revocation
message (only the very knowledgeed will see that this is not realy a
revocation to the key), they may look for your "old" key at the keyserver
and will see the revoked signature very prominent. They will check "your"
new website and will see your photo along with the fingerprint of my fake

OK, nothin of that is new. Just basic social engineering.

The difference is: If they have put full trust to your original key (I
suppose most people who signed your key do this) and to the robotCA's
(I guess most robotCA users do this) the calculated trust of my faked key
will be 'f' as soon as they import it.
If they re-check the first signed e-mail I sent to them after they have
imported my key their program will tell them: "YOU FULLY TRUST THIS KEY."

How many of them would still try to confirm the new key's fingerprint with
you personally (at least by telephone) before they start sending sensitive
data to me encrypted or believe what I write to them in signed mails?

That is how giving "weak signatures" may harm the signer in the first place.

Greeting, Michi (not planing to do any of the above)