Robot CA at

David Shaw
Tue Dec 10 03:49:02 2002

On Mon, Dec 09, 2002 at 09:36:27AM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> On Mon, 2002-12-09 at 01:01, David Shaw wrote:
>  [ 0x11 persona sigs ]
> > Don't forget PGP.  You're making signatures that act incorrectly for
> > exactly 100% of the user base of OpenPGP.  Are you sure you want to do
> > that?
> Nice as it is, I think the web of trust idea is much overrated. It works
> for verifying signatures in everyday use, like on mailing lists. But
> when real secrecy is in question, in most cases
>  - people either have met in persona and therefore could exchange keys
> directly.
>  - or people are within a relatively closed group (say, Debian
> developers who have to mail around account data), so manual verifying of
> a trust path is easy enough.
> I doubt the global web of trust is used much for more than a casual
> verification.

I agree with this.

> So, for me, e-mail robotCA has its justification as well
> as 0x11 signatures (which hopefully people *do* notice as soon as they
> become careful about trust), and I wouldn't call this 'polluting' the
> web of trust.

But not this.  Just because the web of trust isn't perfect, it does
not follow that adding weak data to it is okay.  Why not add more
strong data and make it better?


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson