On 12 August 2013 18:16, Adam Bolte <abolte@systemsaviour.com> wrote:
This is a really good point. I'm not sure which side of the fence is best, but I feel that we should quickly discuss this point on Thursday if time permits.
Problem is that the name of the person doesn't uniquely identify the person. The email [1] address does. So I could get people to sign my key as: Brian May <brian@brianmay.com> It matches my passport. It looks right. It must be ok, right? The fact this email address may not be valid doesn't matter (and is probably better that way). I now can impersonate Brian May[2], and ensure he gets blamed for all my evil doings. Just as he could have a certificate signed with my email address, and pretend to be me. Sure, he won't get the emails, but can still do a lot of damage. [1] Almost always anyway. Sometimes email addresses can be reassigned however (IIRC Yahoo or somebody was doing this). [2] hint: http://www.brianmay.com/ - it isn't me! -- Brian May <brian@microcomaustralia.com.au>