Robot CA at

David Shaw
Tue Dec 10 18:55:02 2002

On Tue, Dec 10, 2002 at 11:39:56AM -0600, Kyle Hasselbacher wrote:

> >This is not necessarily true - I wrote a robot which has the same
> >general concept as the other robots, but does no signing online.  I
> >wasn't satisfied with including a key on a internet-connected machine,
> >so the robot code just handles the grunt work and then passes me a
> >list of keys to sign offline.  That robot, incidentally, is not
> >running.
> Is that really better?  I see very similar attacks.
> - - Break into the robot box, steal the secret key, use it to sign bogus keys
> until someone notices and revokes it.
> - - Break into the robot box, insert bogus keys into the "OK to sign" list,
> get them signed until someone notices.
> Not knowing the details of your setup, I don't know if this is a valid
> attack.  I think as long as you trust the computer to do the validation
> correctly, you might as well trust it to do the signing too.

Not a valid attack, because it's not an automated process.  I am
personally the part of the process that signs the keys and I double
check. ;)

Incidentally, what do you plan to do if/when your robot key gets
compromised?  There are a lot of "Granny"s that will need their
configurations updated.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson