On Sep 16, 2013, at 11:31 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
How do I know that the sender of this message actually has the right
to claim the ORCID in question (0000-0001-5882-6823)? The web page
doesn't present anything (such as a public key) that could be used
for authentication.
I dunno. How do we know who
brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com is?
What's the difference between ignorance and indifference?
Whoever brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com is, it could be a
man, a woman, or a whole think tank responding as one person (like NAT, but for
email). Regardless, brian.e.carpenter replies to emails and publishes drafts
(which requires replying to an email), and has his name on recent RFCs (which
also requires replying to the AUTH48 message).
So whoever is behind the email address, he, she or they are an active IETF
participant. Right now, nobody is preventing me from submitting an I-D and
listing Brian as co-author, except a mail would be sent to
brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com, which he may or may not
notice. We can't proceed to RFC without him noticing, because he has to reply
to the AUTH48. Would it be possible to spoof all this? Maybe, but that's pretty
much all you need to get a DV certificate.
If we use ORCID instead of email, we get less strong authentication. We need to
bind not the ORCID to a government-issued identity, but to all other instances
of ORCID use, otherwise it doesn't uniquely identify a single entity.