On Sep 16, 2013, at 11:31 PM, John Levine <johnl@xxxxxxxxx> wrote: >> How do I know that the sender of this message actually has the right >> to claim the ORCID in question (0000-0001-5882-6823)? The web page >> doesn't present anything (such as a public key) that could be used >> for authentication. > > I dunno. How do we know who brian.e.carpenter@xxxxxxxxx is? What's the difference between ignorance and indifference? Whoever brian.e.carpenter@xxxxxxxxx is, it could be a man, a woman, or a whole think tank responding as one person (like NAT, but for email). Regardless, brian.e.carpenter replies to emails and publishes drafts (which requires replying to an email), and has his name on recent RFCs (which also requires replying to the AUTH48 message). So whoever is behind the email address, he, she or they are an active IETF participant. Right now, nobody is preventing me from submitting an I-D and listing Brian as co-author, except a mail would be sent to brian.e.carpenter@xxxxxxxxx, which he may or may not notice. We can't proceed to RFC without him noticing, because he has to reply to the AUTH48. Would it be possible to spoof all this? Maybe, but that's pretty much all you need to get a DV certificate. If we use ORCID instead of email, we get less strong authentication. We need to bind not the ORCID to a government-issued identity, but to all other instances of ORCID use, otherwise it doesn't uniquely identify a single entity.