Robot CA at
Wed Dec 11 16:41:02 2002

Hash: SHA1

Janusz A. Urbanowiz wrote:

> In GPG you can set the key owner to 'I do not trust signatures by 
> this key'. I don't know if it works as expected (i.e. negative weight 
> on signature).

I am aware of ways to get around the problem in GnuPG, but I was thinking 
more about the key tracing programs that have a web interface.

Richard Laager wrote:

>> [greg] Better to get a new robot at this point!

> Get a new robot? Do you mean reinstalling the same robot software on
> a new (secured) system with a new keypair?

Actually, I was thinking more of skulking out in the middle of the 
night and getting a new domain name, and presenting it as a "new" 
service ... (see below)

> I've had servers of mine compromised. Did I stop trusting the
> software I ran on them? Sort of. I knew that I needed a patched
> version, but that's all I could do. Are you going to switch operating
> systems and all userland software after a compromise because the same
> stuff might get compromised again? I know I wouldn't. As long as the
> hole is patched and everything is reinstalled on a clean system, I
> can trust it as much as (or more than) the old system.

You miss the point - you may trust your system again, but the public's 
perception of the system may suffer an unrecoverable blow. If a major CA 
was broken into and compromised, but the company eventually regained 
control, all the reassurances in the world would not stop people from 
considering using an alternate CA that has not been compromised.

I think if you want to be a CA (or an automated robot), you have a 
responsibility to be far more paranoid and secure than a normal user. 
This probably means a dedicated machine with a very restrictive firewall 
and strict physical access requirements. CAs make an attractive target and 
become a single point of failure, which is why the distributed Web of Trust 
scheme works so much better.

Greg Sabino Mullane
PGP Key: 0x14964AC8 200212111035

P.S. Yes, David, I no longer consider it a (dangerous) robot if the only function 
is to gather data, but a human actually acts on it, as in the scenario you 
described. The point where it automatically signs things is where it 
gets dangerous.