One reader sent me an e-mail indicating that he didn't see what my original
post had to do with the deliberations of this group. Here is a copy of the
clarifying response I sent him:
My objection is based on the current quote from draft-ietf-smime-cert:
"Clients MAY send CA certificates, that is, certificates that are self-
signed and can be considered the "root" of other chains. Note that
receiving agents SHOULD NOT simply trust any self-signed certificates
as valid CAs, but SHOULD use some other mechanism to determine if this
is a CA that should be trusted."
The provision of self-signed CA certificates corrupts the rigid heirarchical
model, and I think the hand-waving "should use some other mechanism" casts the
huge body of arms-length users unable or unwilling to check such a CA's bona
fides adrift. It can ruin the "bank check/credit card" model of S/MIME as
practiced in Netscape and Explorer via Verisign and the many other certifiers,
where CAs are required to conform to specified standards, and are audited to
that, just as banks are supervised by the Controller of the Currency, and
credit card issuers by VISA, MASTER CARD, etc. While I have no objection to
web of trust as a separate model in some other standard, to weaken S/MIME in
this way can destroy its usefulness as a routinely trusted medium (just
as are VISA and MASTER CARDS and checks after perhaps checking only the
individual account's validity--corresponding to a user's public key).
I speak as a professional economist. For details, read any good introductory
economics text on money and banking. The conceptual issues are exactly the
same for trust here (whether for e-mail or transactions) as they were in the
abolition of specie money and the rise of national banking systems, and
subsequently national and international credit card systems.
My recommendation is that the subject paragraph, and any other opening for
self-signed CA certificates be dropped from the standard.
David