Or, if your just going to nail this to email, its a whole lot easier to just insert this header.. xkcd.com/1181/ no real need to be fancy and do the actual PGP verification. Takes far to long. manning bmanning@xxxxxxxxxxx PO Box 6151 Playa del Rey, CA 90296 310.322.8102 On 21September2015Monday, at 16:24, manning <bmanning@xxxxxxxxxxx> wrote: > I think Paul nails it, at least for the more aware folks around. Using the WoT to gauge anything other than confidence in choice of friends/associates is asking for trouble. > See Also: Robin Sage : en.wikipedia.org/wiki/Robin_Sage > > manning > bmanning@xxxxxxxxxxx > PO Box 6151 > Playa del Rey, CA 90296 > 310.322.8102 > > > > > > > On 21September2015Monday, at 12:14, Paul Wouters <paul@xxxxxxxxx> wrote: > >> On Mon, 21 Sep 2015, John Levine wrote: >> >>>> OPENPGP is a data format, WoT is one way to employ that format to >>>> exchange messages. It is not a *required* way to use OPENPGP. >>> >>> Sure, but it's the way that everyone has used PGP for 20 years, >>> and it's the security model that everyone I know expects when they >>> use PGP keys. >> >> Actually, nmost people I know never use the WoT. They only use keys >> obtained directly from the person they want to exchange encrypted email >> with. >> >>> This draft uses a model in which the key is bound to a mailbox >> >> openpgp keys are bound to ID's, which can ultimately end up in a >> mailbox but is not required to do so. >> >> For instance, the gpg key used to sign fedora21 packages with an openpgp >> key ID containing "fedora21@xxxxxxxxxxxxxxxxx" might not have any mailbox >> associated with it. It is merely shared in the DNS under an email address, >> without a mailbox or valid local-part. >> >>> any stronger identity, and you have to trust that the domain's >>> management fairly represents its users >> >> Correct, the domain's management that controls either DNS or SMTP servers, >> can steal a users email. >> >>> That's not a ridiculous model, but if >>> that's the model, the draft and draft-ietf-dane-openpgpkey-usage need >>> to say so. At this point, neither does. >> >>> From the Introduction: >> >> This document specifies a method for publishing and >> locating OpenPGP public keys in DNS for a specific email address >> using a new OPENPGPKEY DNS Resource Record. Security is provided via >> DNSSEC. >> >> So your point is made already pretty clear in the introduction >> already. Security comes from DNSSEC, so whoever controls the domain, >> controls the publishing of openpgp keys. >> >> Section 5.2 also contains some advise. Section 7.4 also mentions this, >> but not under a section title that makes that very clear. >> >> Some clarifications will be made, especially in the security >> considerations section, to clarify this, based on the IETF LC comments. >> >> Thank you, >> >> Paul >> >