-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
HbGVud29vZA==,03
MIC-Info: RSA-MD5,RSA,spAXFoNa5AMa7EzR2Gra3gbFcOtyHdbEVHSXTGVIVVO
hOhKTNEYYNVMSl1jNHr6nX4rFaLxD4jhFuiXJFNSgp2mCrruCXETRFO9Cn3ZMeLB
vnGarQLUnmtb7M+mGBKFY
Carl,
As you said, you have to check that the key is the same one you saw
before. Otherwise someone could choose the same dname, (presumably
with a different key), and you could be spoofed if you didn't check
the key.
Persona certificates provide a slightly different cut at the same
problem. Persona certificates will be issued to anyone and serve the
same purpose. However, once a dname is assigned, it won't be
reassigned to someone else.
Steve
If I "met" the person through e-mail (or postings) and have communicated
only that way and if all of those messages had been signed by the same key
-- then if I get a self-signed certificate signed by the same key, I have
received *proof* that this certificate is really for that person. It is
totally trustable.
-----END PRIVACY-ENHANCED MESSAGE-----