Discussion:
Robot CA -- thanks for the suggestions.
Kyle Hasselbacher
2002-12-08 13:49:01 UTC
Permalink
I won't make a habit of announcing changes here, since I don't think it's
the place for it, but all the changes I made tonight are a result of
suggestions made on this mailing list. I thought folks might be
interested. The web page reflects these changes already:

http://www.toehold.com/robotca/

- - The robot's responses are encrypted with the key it's signing.
- - The robot's signatures are "persona" signatures.
- - The robot's signatures include a policy URL.
- - The robot's signatures expire after three months.
- - It's under RCS, so you have revision numbers.
- - I signed the code, so you can verify it when you get it.
- - There's an option in the code (that I'm not using) to ignore a UID if it
contains more than just an email address (so the robot doesn't appear to
verify anything it isn't verifying).

I didn't really get to test that last one much. When I make a key with
GnuPG, it wants my real name to be at least five characters. I didn't
spend much time looking for a way to generate an email-only UID.

I'm thinking about revoking the current robot key (that doesn't expire) and
creating a new one that expires in a few years.

Thank you all for the suggestions. I've gotten a lot out of the discussion
here.
- --
Kyle Hasselbacher | We need free speech in this country
***@toehold.com | so we can identify the jerks out there. -- Ted Nugent
Adrian 'Dagurashibanipal' von Bidder
2002-12-08 22:17:02 UTC
Permalink
--=-LR1UMSQ2IwH1AuWSZjwT
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
- - There's an option in the code (that I'm not using) to ignore a UID if=
it
contains more than just an email address (so the robot doesn't appear t=
o
verify anything it isn't verifying).
Cool.
I didn't really get to test that last one much. When I make a key with
GnuPG, it wants my real name to be at least five characters. I didn't
spend much time looking for a way to generate an email-only UID.
--allow-freeform-uid or something simmilar.

cheers
-- vbi

--=20
this email is protected by a digital signature: http://fortytwo.ch/gpg

NOTE: keyserver bugs! get my key here: https://fortytwo.ch/gpg/92082481

--=-LR1UMSQ2IwH1AuWSZjwT
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iHMEABECADMFAj3zYs0sGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjIACgkQi6Qxi+Wn99bsvwCeJdkU2vzusfW41qvpSovaAMbqr7YA
n12k/ONfulz2VgxZ/I0cjIqjIcqI
=TxsF
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822

--=-LR1UMSQ2IwH1AuWSZjwT--
Kyle Hasselbacher
2002-12-09 00:11:02 UTC
Permalink
Thanks for the update. I previously tried your robot. I'd like to know
if..
- the previous version sent the resulting signed key(s) to a key
server ?
which one(s) ?
- this new version sends the resulting signed key(s) to a key server
? which
one(s) ?
It doesn't send the resulting signed key to a key server, and it never
did. Doing so would break the design since email delivery to the user is
what verifies that the signature is good. I rely on delivery failure to
eliminate the signatures I shouldn't have made.
I think it'd be best if it wouldn't. If that's already the case, I
believe
it'simportant you mention it on the site...
I'll put that in when I make some of the other changes I have planned.
Thanks for the suggestion!
- --
Kyle Hasselbacher An idea is not responsible
***@toehold.com for the people who believe in it.

Loading...