Quoting Kate Dawson (2016-04-26 22:29:01)

> No, there are various keysigning protocols. The one I propose
> does not use Government assigned ID. All you do is say you control the
> endpoint userid foo@??? and we take your word for it. Obviously
> I could turn up and generate a key with uid for holger@??? ( I
> just made this address up... ), but we presume that this is unlikely to
> happen, and the mine and the real holger@??? communications are
> unlikely to be subjected to targeted interception that would make this
> kind of MiTM effective.
>
> As a uid collects signatures it becomes harder for arbitrary imposters
> to fake up keys and perform these attacks.

Also, it's best practice to send the signed key encrypted with itself to
the email address from the user id. Uploading keys that are not yours
without explicit permission is super-rude in my opinion.


Sincerely,

Malte