Robot CA at toehold.com
Kyle Hasselbacher
kyle@toehold.com
Tue Dec 10 18:39:01 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Dec 10, 2002 at 12:14:11PM -0500, David Shaw wrote:
>On Tue, Dec 10, 2002 at 03:07:40PM -0000, greg@turnstep.com wrote:
>
>> The main objection I have to getting any sort of robot or automated gnupg
>> user into the WoT is that the robot is inherently insecure. You have a
>> program that is signing keys on machine connected to the internet, and
>> the passphrase *and* secret key are both stored on the box. I know that
>> not everyone stores their secret key on removable media far from the
>> public internet, but I do think that the great majority of the people
>> in the WoT store their passphrase in memory only.
>
>This is not necessarily true - I wrote a robot which has the same
>general concept as the other robots, but does no signing online. I
>wasn't satisfied with including a key on a internet-connected machine,
>so the robot code just handles the grunt work and then passes me a
>list of keys to sign offline. That robot, incidentally, is not
>running.
Is that really better? I see very similar attacks.
- - Break into the robot box, steal the secret key, use it to sign bogus keys
until someone notices and revokes it.
- - Break into the robot box, insert bogus keys into the "OK to sign" list,
get them signed until someone notices.
Not knowing the details of your setup, I don't know if this is a valid
attack. I think as long as you trust the computer to do the validation
correctly, you might as well trust it to do the signing too.
You do get a little more security because it's harder to keep an open door
to a broken machine than to simply get in once and steal the goods. It's
also nice that there's a possibility of reviewing what's signed before
signing (wither this is actually done or not).
Still, it seems like a lot more pain for the operator for only a little
gain in security. I guess it's just a matter of what you're willing to
trade off.
- --
Kyle Hasselbacher
kyle@toehold.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE99ibs10sofiqUxIQRAnkUAJ4sZY+IKKp4b/yqdWZXo//PaYJrzQCg979d
NOgyd92rHOCT+97lkcBse2o=
=bUY9
-----END PGP SIGNATURE-----