Re: pgp signing in van

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






On Fri, Sep 6, 2013 at 9:09 PM, Ted Lemon <ted.lemon@xxxxxxxxxxx> wrote:
On Sep 6, 2013, at 8:21 PM, Melinda Shore <melinda.shore@xxxxxxxxx> wrote:
> when you vouch for someone's identity - in an authoritative
> trust system - you're also vouching for the authenticity of
> their transactions.

This is what I mean by "a high bar."   Signing someone's PGP key should mean "I know this person as X," not "this person is X."


For purposes of email security it is not about the keys at all. It is the email addresses that are the real killer.

I can be very sure that I have the right key for ted.lemon@xxxxxxxxxxx but is that who I know as Ted Lemon?


One value of IETF key signing parties is that we get a better assurance that we know the email address we are sending to is the address of the Ted Lemon that participates in IETF than we can possibly get through Web of Trust where someone may be signing a key in all good faith but for the wrong person.


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]