On Wed, 2015-04-08 at 10:15 -0400, Phillip Hallam-Baker wrote: > Personally, I believe that owning your personal DNS name is as > important for security as having a keypair. Why should it give you any security? > I have a huge part of my > brand invested in hallam@xxxxxxxxx which I don't own. Which is why I > switched to phill@xxxxxxxxxxxxxxx for ietf work. But I have yet to win > that argument. It only gives you that some company cannot easily take away your mail address, but OTOH it's probably an illusion to believe that your own domain name protects you much more from this. See cases like the German person called "Shell", who had shell.de and guess who has it now. > I really don't like having ICANN as my root CA either. DNSSEC is a > monolithic, single rooted scheme which I don't consider very > trustworthy because of that. Sure, it has similar problems like the X.509 PKI, just on a less extreme scale. But no one should try to impose a strict hierarchical trust model on OpenPGP anyway. So I don't think it's a particularly good idea to somehow combine OpenPGP with DNS/DNSSEC/DANE. If at all that would mostly only interesting for securing TOFU like systems at least a tiny bit - but OTOH, we shouldn't follow TOFU, it's basically a big lie as I pointed out in a recent lengthy thread on one of the gnupg mailing lists. > We do need trust hierarchies for key management. But each individual > should be the root of their personal hierarchy. +1 > I don't think anyone has signature validation done right today. All > signatures are broken unless they are enrolled in an append-only log. > To verify a signature, you need to go back in time to the point where > the signature was created and check the signature in that time > context. I don't get the point here. At least it doesn't sound like anything in the responsibility of the crypto system, rather something for higher level programs. Cheers, Chris.
Description: S/MIME cryptographic signature
_______________________________________________ openpgp mailing list openpgp@xxxxxxxx https://www.ietf.org/mailman/listinfo/openpgp