On Mon, 21 Sep 2015, John Levine wrote:
OPENPGP is a data format, WoT is one way to employ that format to
exchange messages. It is not a *required* way to use OPENPGP.
Sure, but it's the way that everyone has used PGP for 20 years,
and it's the security model that everyone I know expects when they
use PGP keys.
Actually, nmost people I know never use the WoT. They only use keys
obtained directly from the person they want to exchange encrypted email
with.
This draft uses a model in which the key is bound to a mailbox
openpgp keys are bound to ID's, which can ultimately end up in a
mailbox but is not required to do so.
For instance, the gpg key used to sign fedora21 packages with an openpgp
key ID containing "fedora21(_at_)fedoraproject(_dot_)org" might not have any
mailbox
associated with it. It is merely shared in the DNS under an email address,
without a mailbox or valid local-part.
any stronger identity, and you have to trust that the domain's
management fairly represents its users
Correct, the domain's management that controls either DNS or SMTP servers,
can steal a users email.
That's not a ridiculous model, but if
that's the model, the draft and draft-ietf-dane-openpgpkey-usage need
to say so. At this point, neither does.
From the Introduction:
This document specifies a method for publishing and
locating OpenPGP public keys in DNS for a specific email address
using a new OPENPGPKEY DNS Resource Record. Security is provided via
DNSSEC.
So your point is made already pretty clear in the introduction
already. Security comes from DNSSEC, so whoever controls the domain,
controls the publishing of openpgp keys.
Section 5.2 also contains some advise. Section 7.4 also mentions this,
but not under a section title that makes that very clear.
Some clarifications will be made, especially in the security
considerations section, to clarify this, based on the IETF LC comments.
Thank you,
Paul