For the purposes of fighting spam the following configuration would be
sufficient:
1) Alice's client generates self signed cert
2) Alice's client uses DNS srv to discover XKMS service for email zone
3) Alice's client registers certificate with XKMS service
4) Alice sends email to Bob
5) Bob's client looks up policy of Alice's DNS zone, it is always
authenticate
using S/MIME, no root key specified, XKMS service specified.
6) Bob checks that message is signed correctly
7) Bob retrieves Alice's self signed cert via XKMS locate
Has anyone here suggesting the use of certificates in fighting spam
done an S/MIME interoperability testing?
<rant>
I'm all for the use of PKI to solve the world's problems... but...
the fact is that the current implementations of S/MIME in off the
shelf email products is worse than any implementation I've ever seen.
I'd seriously recommend that folks interested in utilizing PKI first
survey the industry's capability of providing a PKI-based solution
that works. How many websites do you hit with IE/Mozilla throwing up
its hands about a bad certificate? Is it the site's fault or the
browser's? Usually the site's. That said, have you ever tested the
cert chain following capabilities of the browsers? Talk about a
buggy area.
I won't even go into certificate revocation issues...
</rant>
-jbn
(Former/Recovering PKI Implementer)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg