Robot CA at toehold.com
greg@turnstep.com
greg@turnstep.com
Tue Dec 10 16:15:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The main objection I have to getting any sort of robot or automated gnupg
user into the WoT is that the robot is inherently insecure. You have a
program that is signing keys on machine connected to the internet, and
the passphrase *and* secret key are both stored on the box. I know that
not everyone stores their secret key on removable media far from the
public internet, but I do think that the great majority of the people
in the WoT store their passphrase in memory only.
I would really like to see all robots and automated scripts kept out
of the WoT and continue to assume (hope?) that all signatures inside of the
web were performed correctly by actual people. Barring that, I'd like to
have an option to the various WoT trace programs that allow certain keys
to be excluded. This sounds easier than trying to account for
signature levels, which are not reliable anyway, as many have pointed
out.
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200212100945
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html
iD8DBQE99gT7vJuQZxSWSsgRAmzuAJsEIgf4aBqfYKRlhBzLmbZ/nnt/9ACeOjwn
KYTJi3yZkmdevsSGuW6niYE=
=ylW+
-----END PGP SIGNATURE-----