Robot CA at toehold.com
Wed Dec 11 16:41:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Janusz A. Urbanowiz wrote:
> In GPG you can set the key owner to 'I do not trust signatures by
> this key'. I don't know if it works as expected (i.e. negative weight
> on signature).
I am aware of ways to get around the problem in GnuPG, but I was thinking
more about the key tracing programs that have a web interface.
Richard Laager wrote:
>> [greg] Better to get a new robot at this point!
> Get a new robot? Do you mean reinstalling the same robot software on
> a new (secured) system with a new keypair?
Actually, I was thinking more of skulking out in the middle of the
night and getting a new domain name, and presenting it as a "new"
service ... (see below)
> I've had servers of mine compromised. Did I stop trusting the
> software I ran on them? Sort of. I knew that I needed a patched
> version, but that's all I could do. Are you going to switch operating
> systems and all userland software after a compromise because the same
> stuff might get compromised again? I know I wouldn't. As long as the
> hole is patched and everything is reinstalled on a clean system, I
> can trust it as much as (or more than) the old system.
You miss the point - you may trust your system again, but the public's
perception of the system may suffer an unrecoverable blow. If a major CA
was broken into and compromised, but the company eventually regained
control, all the reassurances in the world would not stop people from
considering using an alternate CA that has not been compromised.
I think if you want to be a CA (or an automated robot), you have a
responsibility to be far more paranoid and secure than a normal user.
This probably means a dedicated machine with a very restrictive firewall
and strict physical access requirements. CAs make an attractive target and
become a single point of failure, which is why the distributed Web of Trust
scheme works so much better.
Greg Sabino Mullane email@example.com
PGP Key: 0x14964AC8 200212111035
P.S. Yes, David, I no longer consider it a (dangerous) robot if the only function
is to gather data, but a human actually acts on it, as in the scenario you
described. The point where it automatically signs things is where it
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----