Robot CA at toehold.com

greg@turnstep.com greg@turnstep.com
Tue Dec 10 16:15:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The main objection I have to getting any sort of robot or automated gnupg 
user into the WoT is that the robot is inherently insecure. You have a 
program that is signing keys on machine connected to the internet, and 
the passphrase *and* secret key are both stored on the box. I know that 
not everyone stores their secret key on removable media far from the 
public internet, but I do think that the great majority of the people 
in the WoT store their passphrase in memory only.

I would really like to see all robots and automated scripts kept out 
of the WoT and continue to assume (hope?) that all signatures inside of the 
web were performed correctly by actual people. Barring that, I'd like to 
have an option to the various WoT trace programs that allow certain keys 
to be excluded. This sounds easier than trying to account for 
signature levels, which are not reliable anyway, as many have pointed 
out.

Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200212100945

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE99gT7vJuQZxSWSsgRAmzuAJsEIgf4aBqfYKRlhBzLmbZ/nnt/9ACeOjwn
KYTJi3yZkmdevsSGuW6niYE=
=ylW+
-----END PGP SIGNATURE-----