Robot CA at

David Shaw
Tue Dec 10 20:33:01 2002

On Tue, Dec 10, 2002 at 06:49:11PM -0000, wrote:
> David Shaw wrote:
> > This is not necessarily true - I wrote a robot which has the same
> Sorry - I am not sure which part of my quote is "not necessarily true"?

The part about robots being inherently insecure because they keep
their keys online.  The robot I wrote didn't do so, and used a human
being to do the actual signing.  I guess you could argue that
something that involves a human isn't really a robot.

> > I think we want the same thing, but are going about it differently.  I
> > want robots and scripts kept out of the web of trust... but if they do
> > leak in there, I don't want them excluded from the various web mapping
> > programs.  By that point, the damage is done and they are for better
> > or for worse part of the web.  Of course, it could be argued that this
> > would encourage people to sign robot keys, so perhaps it is indeed
> > better to leave them out.  I don't like that as the mappers will then
> > show a different web of trust than the real world will.
> I do not agree with this: once they are added to the WoT (and they
> will be, all it takes is one misguided/malicious person) we should
> minimize the damage by allowing an option to exclude those keys. Or
> at the least putting a strong warning next to the key if it appears
> in a path. Bonus points for any program that checks if there is an
> alternate path that does not involve the robot, and adds the robot
> keys as a "path of last resort."

I sort of agree with you, but those signatures are, like it or not,
part of the web of trust at that point.  They may be weak and
unfortunate additions, but there are present.  More practically, who
makes the decision what gets included or not?  One person's exclusion
list is bound to be different than another.  This loops back to the
discussion about having GnuPG print out a user-customized web of trust
that takes into account local signatures and trust values.  With a
publically available web of trust appilication (pathfinder, etc.) the
link is there, so I think it should be shown.  Of course, that's me.

If there was a computationally feasable way to exclude certain keys on
a dynamic basis, then I have no objections to that of course.  I
suspect that it would be possible or even easy for pathfinders to do
this dynamically, but very difficult for things like the keyanalyze
report to do this dynamically.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson