On Wed, Sep 23, 2015 at 09:44:57AM +0600, Randy Bush wrote: > Paul Wouters wrote: > > > Actually, nmost people I know never use the WoT. They only use keys > > obtained directly from the person they want to exchange encrypted email > > with. > > this is not my experience > > it will be a long time before i trust a dane/dnssec identity binding > over pgp's. > > At Mon, 21 Sep 2015 16:24:10 -0700, Bill Manning wrote: > > > I think Paul nails it, at least for the more aware folks around. > > Using the WoT to gauge anything other than confidence in choice of > > friends/associates is asking for trouble. > > i think bill nails it. trust in identity is what it is about for me. > i am communicating with a person, not a dns or smtp server; the latter > are agents, and ones which have failed repeatedly over the decades. We'll likely never meet in person. You have a sensitive message to send me about Postfix or OpenSSL or something like that. Now what? Or more likely you have nothing sensitive to send me at all, but prefer not to have your communications routinely intercepted or stored in the clear. Now what? The draft strives to make PGP scale, with an inevitable trade-off in identity assurance. The security needs of covert-agents are not the same as the security needs of most ordinary citizens. Folks who want "covert agent security" need to know what tools and systems they can't avoid trusting (a trusted party is one that can betray you), and then, if they are careful, avoid trusting everything/everyone else. The rest of us need to make reasonable compromises, that protect most of us most of the time, ideally keeping Orwellian nightmares in check. -- Viktor.