On Tue, Sep 09, 2014 at 04:55:41PM +0100, Leo Vegoda wrote:
> > But the certificate issued is only
> > authenticating [email protected], it isn't authenticating Alice.
>
> That's quite a subtle distinction. Experience shows that most people
> do not understand the difference between a web browser and a search
> engine[1]. How likely do you think it is that people will understand
> the difference between the authentication of an e-mail address and
> the person controlling that address?
And if I want to send an email with sensitive business materials
to Alice's work email address, I don't expect to securely deliver
it to "Alice", rather it is intended for Alice's "at work" mailbox.
Which is not to say that it might not be interesting to have some
types of keys that are bounnd to a particular person, and allow
that person to establish related identities hosted by various email
providers.
But even then Alice might prefer certain types of messages to be
delivered to some addresses and not to others (Alice's fetish emails
should perhaps not be sent to the office).
So the picture is rather complex, ... Neither a pure "person"
identity nor a pure "role" identity is right for all cases.
--
Viktor.
_______________________________________________
Endymail mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/endymail
