Robot CA at toehold.com

David Shaw dshaw@jabberwocky.com
Tue Dec 10 03:36:02 2002 

On Sun, Dec 08, 2002 at 09:52:01PM -0600, Kyle Hasselbacher wrote:

> I've seen lots of talk about whether my Robot CA should be part of the web
> of trust, and about weak signatures in the web of trust.  I'm writing one
> post rather than follow up to everything.
> 
> David Shaw is correct in pointing out that getting the Robot CA in the WoT
> does not improve its functionality.  The problem I see is how someone would
> verify the integrity of the robot's key.  They could verify it with me the
> same way they'd verify my key.  Given a verified key, it could be put on
> read-only media distributed with the user's mail client or other
> out-of-band means.  It seems far easier just to use the WoT (I sign the
> robot, and they verify my key the usual way).

Using the web of trust is actually a pretty ineffective way to verify
the robot key.  Remember that (by default) the web of trust is 4
levels deep.  That means they'd have to trust you, trust someone who
trusts you, or trust someone who trusts that person.  Anything further
than this and the robot key is useless.

Having people trust the robot key explicitly means a:

 trusted-key (robot key)

in their config file.  Very explicit, very much opt-in, and no
question about accidentally trusting something that was not intended.

Since this system was promoted as part of a special setup for Granny,
that special setup can trivially include this configuration.  It
doesn't help Granny to involve the web of trust at all.

> Concerns about polluting the WoT aside, it seems proper for me to sign my
> robot's key and vice versa.  Assuming I am who I say I am (I feel
> comfortable making that assumption), I could get into the WoT legitimately
> myself.  At that point, the robot is in too, and everyone it signed.

Believe it or not, I agree with this.  You are running the robot, if
there is anyone out there who knows the robot key, it's you.  This is
just another example of the general non-human-key problem like company
key signers, software signing keys, etc.

> I agree with Richard Laager when he says that the "over trust" of 0x11
> signatures is an issue with the user agent.  The fact that it's an issue
> with ALL of them doesn't make this less true.  When everyone on the road is
> speeding, it doesn't mean they're not breaking the law.

But it does mean that people who are driving along with them should be
careful ;)

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson