Robot CA at toehold.com

David Shaw dshaw@jabberwocky.com
Sun Dec 8 20:44:02 2002 

On Sun, Dec 08, 2002 at 06:37:17PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> On Sun, 2002-12-08 at 17:48, Michael Nahrath wrote:
> > Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch> schrieb am
> > 2002-12-08 16:07 Uhr:
> 
> > > Hmmm. Collecting signatures on a key is collecting trust. Personally, I
> > > do sign keys of CAs I trust (with a policy URL with a statement how much
> > > I trust them). 
> > 
> > Signing doesn't express anything about trust. It is about identity.
> > 
> > Signing a CA means that you have checked that the CA's key really belongs to
> > the organisation that runs the CA service.
> > 
> > I guess you did this with key 0xB3B2A12C
> > The CA is driven by a computer magazine and they print this key's
> > fingerprint to each edition, so you can verify it (meaning: "this key really
> > belongs to this company").
> > 
> > So you had occation to verify the key belongs to its (non human) owner by a
> > second chanel than the internet (paper).
> 
> Yes, in the end it's also something about identity. But when I don't
> trust a CA, regardless of whether I verified their key or not, I don't
> want them in my web of trust, so I'll never even consider signing them.
> 
> For personal keys things are different - keys are signed just for
> identification purposes. But I feel that for a CAs key it tells
> something about who would consider using a CAs key to build a trust
> path.

Well, what is a CA?  A CA is (supposedly) an Authority.  It does not
need mere users to sign it to give it more authority as it is absolute
by design.  If someone wants to use the CA top-down trust model, they
can directly do so.  Having a CA be a part of the web of trust is sort
of blending two different trust models.  It's not necessarily bad or
good, but I suppose everyone needs to decide for themselves where the
line is drawn.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson