Robot CA at toehold.com
Mon Dec 9 10:43:06 2002
-----BEGIN PGP SIGNED MESSAGE-----
At 09:36 2002-12-09 +0100, you wrote:
>David Shaw wrote:
> [ 0x11 persona sigs ]
>> Don't forget PGP. You're making signatures that act incorrectly for
>> exactly 100% of the user base of OpenPGP. Are you sure you want to do
>Nice as it is, I think the web of trust idea is much overrated. It works
>for verifying signatures in everyday use, like on mailing lists. But
>when real secrecy is in question, in most cases
> - people either have met in persona and therefore could exchange keys
> - or people are within a relatively closed group (say, Debian
>developers who have to mail around account data), so manual verifying of
>a trust path is easy enough.
>I doubt the global web of trust is used much for more than a casual
>verification. So, for me, e-mail robotCA has its justification as well
>as 0x11 signatures (which hopefully people *do* notice as soon as they
>become careful about trust), and I wouldn't call this 'polluting' the
>web of trust.
I agree that in cases where real secrecy is needed other means of key
verification than the Web of Trust have to be used.
I agree that the robotCA is useful. Verifying e-mail addresses ei
establishing the connection key - e-mail address is important for casual
encryption, as someone else has stated as well.
In fact I was a little confused about the signing levels at first, because
I wanted to make exportable signatures on keys when I had verified only the
e-mail address, but didn't find any appropriate signing level. Thus I only
put exportable signatures on keys when I have checked the identity of the
keyholder - and that's not very frequent.
I think it's fine if the robot uses level 1 (casual check) -signatures, but
in the future I would like to introduce a new level: "I have checked the
e-mail address only". I would find it very helpful. And I would sign a lot
of keys and help some other people that might not use the robot.
I still think it would be more natural for most people to verify the
connection between the e-mail address and the person. (And it's easier to
check on e-mail address by phone than reading fingerprints!) Thus a
verification of the connection between the e-mail address and the key would
But as someone else have stated: In many cases it is sufficient just to
establish the connection between the e-mail address and the key. It doesn't
really matter who the person behind the address is. That makes it even more
helpful with verification of e-mail addresses.
As to PGP and old software I have noticed that e.g. PGP 6.5.8 doesn't
notice expired signatures! It put me off from starting a CA-services last
year, because I didn't want the CA-signatures to have an eternal life. But
now that Kyle Hasselbacher has started his robot I might think it over
again. Or rather I will encourage people to use his robot. Important
features must be introduced and used. They might even encourage people to
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32) - GPGrelay v0.906c
-----END PGP SIGNATURE-----