On Friday, September 06, 2013 23:39:59 Phillip Hallam-Baker wrote:
On Fri, Sep 6, 2013 at 9:09 PM, Ted Lemon
<ted(_dot_)lemon(_at_)nominum(_dot_)com> wrote:
On Sep 6, 2013, at 8:21 PM, Melinda Shore
<melinda(_dot_)shore(_at_)gmail(_dot_)com> wrote:
when you vouch for someone's identity - in an authoritative
trust system - you're also vouching for the authenticity of
their transactions.
This is what I mean by "a high bar." Signing someone's PGP key should
mean "I know this person as X," not "this person is X."
For purposes of email security it is not about the keys at all. It is the
email addresses that are the real killer.
I can be very sure that I have the right key for
ted(_dot_)lemon(_at_)nominum(_dot_)com but
is that who I know as Ted Lemon?
One value of IETF key signing parties is that we get a better assurance
that we know the email address we are sending to is the address of the Ted
Lemon that participates in IETF than we can possibly get through Web of
Trust where someone may be signing a key in all good faith but for the
wrong person.
Except what you're talking about is building an IETF centered web of trust.
That's exactly the right thing to be doing. For all the key singings I've
done the signer mails the signed key to the signee to upload to a key server.
That does provide reasonable assurance that the key, the person, and the email
address go together.
Scott K