> On Feb 19, 2016, at 8:57 AM, Paul Wouters <paul@xxxxxxxxx> wrote: > > It can be used where otherwise a message would go out unencrypted. I think this is the *crucial* point. Just as DANE seems to be a good fit for authenticating opportunistic TLS in SMTP, implementation details aside (this draft, vs. addrquery, ...) it also seems like a good fit for authenticating "opportunistic PGP" if I a may be so bold as to coin a new term. One resorts to finding keys via DNS for better than nothing content encryption of communication with the unwashed masses. For communication with a covert whistle-blower one probably wants a greater level of assurance. The PGP web of trust does not scale to ad-hoc contact with strangers, this draft and its alternatives are to a great extent attempts to fill that gap by providing keys for opportunistic end-to-end email encryption. Encrypt what you can, send the rest in the clear. In some cases, the authenticity of keys obtained via DNS-authenticated online queries may be verifiable out of band (call the correspondent by phone or meet them in person and check the fingerprint, ...), then one might use this and related drafts for key acquisition, with follow-up verification as and when appropriate. There is no one-size-fits-all security model for end-to-end encryption. Neither PGP nor S/MIME dictate a single security model, except by virtue of lack of extant alternatives. -- Viktor.