elGamal Keys to Sign+Encrypt

Per Tunedal pt@radvis.nu
Tue Jan 14 19:43:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 21:27 2003-01-13 -0500, you wrote:
 >On Mon, Jan 13, 2003 at 04:57:06PM -0800, Len Sassaman wrote:
 >> On Mon, 13 Jan 2003, David Shaw wrote:
 >>
 >> > However, that said, why should a CA care?  I wouldn't make the CA
 >> > signing key an Elgamal signing key, but it shouldn't matter if you
 >> > certify an ElGamal key.
 >>
 >> It depends on your CSP. A CA is making an assertion that the entity
 >> possessing the secret key corresponding to a given public key is or has
 >> some bit of information included in the certificate.
 >
 >Well, I agree that it comes down to policy.  My point was that there
 >is no technical issue with making such a signature.
 >
 >However, it is an interesting question what the appropriate policy is.
 >
 >> If the public key algorithm is too weak to reasonably trust that the
 >> private key cannot be discovered by a third party, it is not wise to
 >> sign.
 >
 >Traditional OpenPGP certification signatures do not attempt to say
 >more than some variation on "I certify that such-and-such entity (or
 >role) matches such-and-such key".  I'm not talking about trust
 >signatures here, of course, which are a different beast.  It raises
 >some interesting issues whether the signer should take into account
 >something other than key ownership when making a certification.  There
 >are of course exceptions to this, and a signer is free to do whatever
 >the heck they like anyway.
 >
 >How different is the example above with signing the key of someone who
 >is known to make willy-nilly bad signatures?  Your certification is
 >still strong, despite the poor certification policy that the keyholder
 >has.  On the other side of this is the fact that nobody likes to be
 >the one to "enable" a weak link in the web of trust.
 >
 >No one answer here, I'm afraid.
 >
 >David
 >
 >

My answer is that it is important that a CA publishes the policy. Everyone
can then decide how much to trust the CA (that applies to the robot-CA as
well ...)

It might be useful with a CA with a restrictive policy: it might be more
trusted than other CA:s.

In fact it's the only reson not to have only robot-CA:s: i.e. a human CA
has the advantage to be able to perform complicated checks and have a
judgment of what to sign. Even a robot can deny to sign certain kinds of
keys ... ;-)

Per Tunedal

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32) - GPGrelay v0.9096

iD8DBQE+JFpBV+WjFXkFqqkRAmwmAKD5kmjK3ViTuN2kuVjXR619uulLhQCgsD6S
jjuBe9lh9T4vV47D06XbI2M=
=k3ZO
-----END PGP SIGNATURE-----