On 03/14/2016 08:18 AM, John C Klensin wrote:
However, consider a different case. Assume I have a message, whose content I consider sensitive, that I need to transmit to a party I know but with whom I have not corresponded by email before (and, therefore, Doug's "replying to message" case does not apply). Now I don't need to send that by email. I may have the post, fax, assorted courier services, reading it on the phone (PSTN or VoIP), transmission it by IM or text message, and other methods available to me.
In this scenario the PGP community has long (and I mean, for 20 years or so) advised to ring the person and confirm their key fingerprint (and by extension preferred e-mail address) over the phone. I don't see any reason why the existence of a DNS mechanism would change that advice.
[1] As an aside, if I've got a trusted way to obtain that fingerprint without using the DNS, I most likely have another way to obtain the key so I don't need this I-D and protocol. When that argument is reversed, some of the advantages of Doug's suggestion (somewhat similar to that of others, earlier) to put fingerprint (and maybe other) information in the DNS rather than the key itself become obvious. But, if we are really committed to letting a thousand experiments bloom, that is not relevant.
Thanks! Doug