[dinosaurdynasty]

> After all, they could just “verify” themselves as the other party of your correspondence.

They can't do this at any real scale, because they will be caught. (Because they can't use the same key as the real key--since they don't have the private portion, if designed sanely--so anyone verifying it manually out of band will see that the trust has been violated. Also they will have to continuously modify future communications, which can be difficult, which is another way to get caught.)

[fragmede]

but then you have to catch them. wouldn't it be better if they didn't have the ability to do that in the first place?

[dinosaurdynasty]

If that was possible, we wouldn't need Certificate Transparency (whose purpose is to at scale detect Certificate Authorities doing this and other shenanigans).

Also "being able to catch them" is strictly better than "basically not able to catch them", which is the case for Twitter DMs (and most common DM systems), which was mentioned up-thread.

[bawolff]

Why/how would they get caught in the identity-based scheme mentioned in the article? What are you even verifying out of band in this context?

Like all that you wrote is true of webPKI that we use on the internet for TLS, but the article is talking about an alternative that is not PKI, and does not work the same way.