In your letter dated Wed, 23 Sep 2015 03:57:31 +0000 you wrote:
On Wed, Sep 23, 2015 at 09:44:57AM +0600, Randy Bush wrote:
Paul Wouters wrote:
Actually, nmost people I know never use the WoT. They only use keys
obtained directly from the person they want to exchange encrypted email
with.
At Mon, 21 Sep 2015 16:24:10 -0700, Bill Manning wrote:
I think Paul nails it, at least for the more aware folks around.
Using the WoT to gauge anything other than confidence in choice of
friends/associates is asking for trouble.
i think bill nails it. trust in identity is what it is about for me.
i am communicating with a person, not a dns or smtp server; the latter
are agents, and ones which have failed repeatedly over the decades.
We'll likely never meet in person. You have a sensitive message
to send me about Postfix or OpenSSL or something like that. Now
what?
Or more likely you have nothing sensitive to send me at all, but
prefer not to have your communications routinely intercepted or
stored in the clear. Now what?
Assuming just normal e-mail, nothing extremely sensitive, why do (some of
us) have higher requirements for e-mail than for web servers?
For sensitive e-mail, yes, find an out of band way to verify someone's
key. And sign it yourself.
But for ordinary e-mail, if we can trust the CA system to protect websites,
why not trust DNSSEC to protect e-mail?