[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] OpenPGP private certification

On Wed, 2015-04-08 at 10:15 -0400, Phillip Hallam-Baker wrote: 
> Personally, I believe that owning your personal DNS name is as
> important for security as having a keypair.
Why should it give you any security?

> I have a huge part of my
> brand invested in hallam@xxxxxxxxx which I don't own. Which is why I
> switched to phill@xxxxxxxxxxxxxxx for ietf work. But I have yet to win
> that argument.
It only gives you that some company cannot easily take away your mail
address, but OTOH it's probably an illusion to believe that your own
domain name protects you much more from this.

See cases like the German person called "Shell", who had shell.de and
guess who has it now.

> I really don't like having ICANN as my root CA either. DNSSEC is a
> monolithic, single rooted scheme which I don't consider very
> trustworthy because of that.
Sure, it has similar problems like the X.509 PKI, just on a less extreme
But no one should try to impose a strict hierarchical trust model on
OpenPGP anyway. So I don't think it's a particularly good idea to
somehow combine OpenPGP with DNS/DNSSEC/DANE.

If at all that would mostly only interesting for securing TOFU like
systems at least a tiny bit - but OTOH, we shouldn't follow TOFU, it's
basically a big lie as I pointed out in a recent lengthy thread on one
of the gnupg mailing lists.

> We do need trust hierarchies for key management. But each individual
> should be the root of their personal hierarchy.

> I don't think anyone has signature validation done right today. All
> signatures are broken unless they are enrolled in an append-only log.
> To verify a signature, you need to go back in time to the point where
> the signature was created and check the signature in that time
> context.
I don't get the point here. At least it doesn't sound like anything in
the responsibility of the crypto system, rather something for higher
level programs.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

openpgp mailing list