If this is good or not depends on what you want to achieve.
If the goal is establishing confidential communication between a limited number
of parties it seems that on-line based schemes (IM,
Skype) tailored after TLS could also be a viable alternative. Message
encryption is a PITA and doesn't really work for the
mass-market due to the absence of a working key recovery scheme.
For ordinary enterprise-messaging server-to-server encryption is the only
realistic alternative in order to comply with various
information leakage and content control policies that are currently being put
in place. Massive use of end-to-end encryption is
simply not feasible no matter how useful it may appear to be.
Another fly in Ian's soup is that the US government (which is the entity who
have thrown the most money on this since long dead
horse called S/MIME) so far haven't actually published their keys. BTW, in
this context it is worth mentioning that for citizens,
you rather often deal with a department rather than an officer since you
typically do not know the government people that well.
The only working and [almost] established way of securely communicating with a
department is through the web.
It seems that S/MIME encryption works fine for communities having strong IT
support. On the Internet it doesn't work equally well
and has also been displaced by the web. On the Internet we primarily need to
improve authentication and reducing spam.
----- Original Message -----
From: "Peter Gutmann" <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz>
Sent: Thursday, November 22, 2007 15:50
Subject: S/MIME key distribution proposal
If an email can be used to send the key (signed), then why can't an email be
used to request a key? Imagine that we added an email convention, a little
like those old maillist conventions, that did this:
Subject: GETSMIME fc(_at_)example(_dot_)com
and send it off. A mailclient like Thunderbird could simply reply by
forwarding the key. (How this is done is an exercise for the reader. If you
can't think of 3 ways in the next 3 minutes, you need more exercise.)
Seems like a very simple, straightforward way to automate getting someone's
key for S/MIME email purposes. Is it worth doing this as an RFC to get it
standardised in mailers?