Robot CA at

Kyle Hasselbacher
Tue Dec 10 18:39:01 2002

Hash: SHA1

On Tue, Dec 10, 2002 at 12:14:11PM -0500, David Shaw wrote:
>On Tue, Dec 10, 2002 at 03:07:40PM -0000, wrote:
>> The main objection I have to getting any sort of robot or automated gnupg 
>> user into the WoT is that the robot is inherently insecure. You have a 
>> program that is signing keys on machine connected to the internet, and 
>> the passphrase *and* secret key are both stored on the box. I know that 
>> not everyone stores their secret key on removable media far from the 
>> public internet, but I do think that the great majority of the people 
>> in the WoT store their passphrase in memory only.
>This is not necessarily true - I wrote a robot which has the same
>general concept as the other robots, but does no signing online.  I
>wasn't satisfied with including a key on a internet-connected machine,
>so the robot code just handles the grunt work and then passes me a
>list of keys to sign offline.  That robot, incidentally, is not

Is that really better?  I see very similar attacks.

- - Break into the robot box, steal the secret key, use it to sign bogus keys
until someone notices and revokes it.

- - Break into the robot box, insert bogus keys into the "OK to sign" list,
get them signed until someone notices.

Not knowing the details of your setup, I don't know if this is a valid
attack.  I think as long as you trust the computer to do the validation
correctly, you might as well trust it to do the signing too.

You do get a little more security because it's harder to keep an open door
to a broken machine than to simply get in once and steal the goods.  It's
also nice that there's a possibility of reviewing what's signed before
signing (wither this is actually done or not).

Still, it seems like a lot more pain for the operator for only a little
gain in security.  I guess it's just a matter of what you're willing to
trade off.
- -- 
Kyle Hasselbacher
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see