On Fri, Sep 6, 2013 at 9:09 PM, Ted Lemon
<ted(_dot_)lemon(_at_)nominum(_dot_)com> wrote:
On Sep 6, 2013, at 8:21 PM, Melinda Shore
<melinda(_dot_)shore(_at_)gmail(_dot_)com> wrote:
when you vouch for someone's identity - in an authoritative
trust system - you're also vouching for the authenticity of
their transactions.
This is what I mean by "a high bar." Signing someone's PGP key should
mean "I know this person as X," not "this person is X."
For purposes of email security it is not about the keys at all. It is the
email addresses that are the real killer.
I can be very sure that I have the right key for
ted(_dot_)lemon(_at_)nominum(_dot_)com but
is that who I know as Ted Lemon?
One value of IETF key signing parties is that we get a better assurance
that we know the email address we are sending to is the address of the Ted
Lemon that participates in IETF than we can possibly get through Web of
Trust where someone may be signing a key in all good faith but for the
wrong person.
--
Website: http://hallambaker.com/