On Fri, Sep 6, 2013 at 9:09 PM, Ted Lemon <ted.lemon@xxxxxxxxxxx> wrote:
On Sep 6, 2013, at 8:21 PM, Melinda Shore <melinda.shore@xxxxxxxxx> wrote:This is what I mean by "a high bar." Signing someone's PGP key should mean "I know this person as X," not "this person is X."
> when you vouch for someone's identity - in an authoritative
> trust system - you're also vouching for the authenticity of
> their transactions.
For purposes of email security it is not about the keys at all. It is the email addresses that are the real killer.
I can be very sure that I have the right key for ted.lemon@xxxxxxxxxxx but is that who I know as Ted Lemon?
One value of IETF key signing parties is that we get a better assurance that we know the email address we are sending to is the address of the Ted Lemon that participates in IETF than we can possibly get through Web of Trust where someone may be signing a key in all good faith but for the wrong person.