[Top] [All Lists]

Re: PGP security models, was Summary of IETF LC for draft-ietf-dane-openpgpkey

2015-09-23 15:14:05
I think this is OK. That's what you get for using a domain who does this sort of thing as your email provider.

Right. But again, if I'm trying to find your key, I have no way to know how sleazy your mail provider is, so I have no way to tell whether to trust the keys they publish.

I do consider this proposal's handling of this case superior to the key

A key you get from the key servers might be real or might be bogus. A key you get through DANE might be real or might be bogus. What's the difference? A key from DANE implicitly has an endorsement from the domain, but a key from key servers can have endorsements via WoT signatures. In each case. unless you know the endorser, the endorsement is useless.


<Prev in Thread] Current Thread [Next in Thread>