On Friday, September 06, 2013 23:39:59 Phillip Hallam-Baker wrote: > On Fri, Sep 6, 2013 at 9:09 PM, Ted Lemon <ted.lemon@xxxxxxxxxxx> wrote: > > On Sep 6, 2013, at 8:21 PM, Melinda Shore <melinda.shore@xxxxxxxxx> wrote: > > > when you vouch for someone's identity - in an authoritative > > > trust system - you're also vouching for the authenticity of > > > their transactions. > > > > This is what I mean by "a high bar." Signing someone's PGP key should > > mean "I know this person as X," not "this person is X." > > For purposes of email security it is not about the keys at all. It is the > email addresses that are the real killer. > > I can be very sure that I have the right key for ted.lemon@xxxxxxxxxxx but > is that who I know as Ted Lemon? > > > One value of IETF key signing parties is that we get a better assurance > that we know the email address we are sending to is the address of the Ted > Lemon that participates in IETF than we can possibly get through Web of > Trust where someone may be signing a key in all good faith but for the > wrong person. Except what you're talking about is building an IETF centered web of trust. That's exactly the right thing to be doing. For all the key singings I've done the signer mails the signed key to the signee to upload to a key server. That does provide reasonable assurance that the key, the person, and the email address go together. Scott K