Robot certificate authority
Encyclopedia
A robot certificate authority is a certificate authority
(CA) which automatically signs public keys which match some requirement.
Typically Robot CAs are set up to validate that the public key belonging to an e-mail address
does actually belong to the e-mail address. This is achieved by the Robot CA signing each uid on the public key and sending the signed copy to the e-mail address, encrypted with the public key. If the public key belongs to whoever reads the e-mail address, they receive the signed copy, can decrypt it and then publish it to the public key server
s. If the public key does not belong to whoever reads the e-mail address, they are unable to decrypt the encrypted key, but the accompanying message gives them sufficient information to let them know that that someone is attempting to impersonate them.
Robot CAs are considered significantly less secure than other CAs, which typically require multiple forms of photograph identification. In particular most robot CAs are only as strong as the underlying e-mail
infrastructure: anyone who can read another person's mail can impersonate them and anyone who can read and delete another person's e-mail can get the signature without the person knowing if they don't read their e-mail at exactly the right time or the impostor prevents the signature e-mail from being seen. Robot CAs also offer no evidence as to the real identity of an OpenPGP user, merely their e-mail address. All well behaved Robot CAs use a signature policy URL, which is the URL of the policy under which the keys are signed.
A Robot CA also has the side effect of serving as a time stamp server for keys because a time stamp is included in the signature added to the key. The signature is evidence that the key existed and was in use at a certain point in time.
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
(CA) which automatically signs public keys which match some requirement.
Typically Robot CAs are set up to validate that the public key belonging to an e-mail address
E-mail address
An email address identifies an email box to which email messages are delivered. An example format of an email address is lewis@example.net which is read as lewis at example dot net...
does actually belong to the e-mail address. This is achieved by the Robot CA signing each uid on the public key and sending the signed copy to the e-mail address, encrypted with the public key. If the public key belongs to whoever reads the e-mail address, they receive the signed copy, can decrypt it and then publish it to the public key server
Key server (cryptographic)
In computer security, a key server is a computer that receives and then serves existing cryptographic keys to users or other programs. The users' programs can be working on the same network as the key server or on another networked computer....
s. If the public key does not belong to whoever reads the e-mail address, they are unable to decrypt the encrypted key, but the accompanying message gives them sufficient information to let them know that that someone is attempting to impersonate them.
Robot CAs are considered significantly less secure than other CAs, which typically require multiple forms of photograph identification. In particular most robot CAs are only as strong as the underlying e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
infrastructure: anyone who can read another person's mail can impersonate them and anyone who can read and delete another person's e-mail can get the signature without the person knowing if they don't read their e-mail at exactly the right time or the impostor prevents the signature e-mail from being seen. Robot CAs also offer no evidence as to the real identity of an OpenPGP user, merely their e-mail address. All well behaved Robot CAs use a signature policy URL, which is the URL of the policy under which the keys are signed.
A Robot CA also has the side effect of serving as a time stamp server for keys because a time stamp is included in the signature added to the key. The signature is evidence that the key existed and was in use at a certain point in time.
OpenPGP
- CAcert (Offers only verified signatures, not a true robot)
- JamesHoward.us Robot CA (out of order)
- Toehold (Kyle Hasselbacher) (domain expired)
- Imperial Violet (Adam Langley) (out of order)
- PGP Corporation email verification service
SSL
- CAcert (Supports both SSL & OpenPGP, on any software or hardware. At the moment, is not accepted by either Firefox or Internet Explorer)
- StartSSL (Basic certificates are free, others cost.)
- CertifyID Certificates (Only Internet Explorer is supported running on a Microsoft operating system.)
- Comodo (Internet Explorer only, email certificates are free, others cost)