In your letter dated Wed, 23 Sep 2015 03:57:31 +0000 you wrote: >On Wed, Sep 23, 2015 at 09:44:57AM +0600, Randy Bush wrote: >> Paul Wouters wrote: >> > Actually, nmost people I know never use the WoT. They only use keys >> > obtained directly from the person they want to exchange encrypted email >> > with. >> >> At Mon, 21 Sep 2015 16:24:10 -0700, Bill Manning wrote: >> >> > I think Paul nails it, at least for the more aware folks around. >> > Using the WoT to gauge anything other than confidence in choice of >> > friends/associates is asking for trouble. >> >> i think bill nails it. trust in identity is what it is about for me. >> i am communicating with a person, not a dns or smtp server; the latter >> are agents, and ones which have failed repeatedly over the decades. > >We'll likely never meet in person. You have a sensitive message >to send me about Postfix or OpenSSL or something like that. Now >what? > >Or more likely you have nothing sensitive to send me at all, but >prefer not to have your communications routinely intercepted or >stored in the clear. Now what? Assuming just normal e-mail, nothing extremely sensitive, why do (some of us) have higher requirements for e-mail than for web servers? For sensitive e-mail, yes, find an out of band way to verify someone's key. And sign it yourself. But for ordinary e-mail, if we can trust the CA system to protect websites, why not trust DNSSEC to protect e-mail?