[Top] [All Lists]

Re: Weakening the rigid heirarchical trust model

1997-12-29 20:34:32
At 06:48 PM 12/29/97 -0800, David Sternlight wrote:
I think that for the standard itself to carry trust, it is not enough to rely
on the good sense of MUA makers and the ability of recipients alone to ignore
possibly untrustworthy self-signed CAs.

This, then, is the basis of our disagreement. I don't see anything that we
can do to fully cover the trust issue for all users, other than, as you
have, outlaw anything other than rejecting all self-signed certs mailed to
a receiving agent.

I think it a bad idea to weaken
the model in this particular standard.

The current standard explicitly allows self-signed certs. The last draft
for S/MIME v2 reads:

    Clients MAY send CA certificates, that is, certificates that are
    self-signed and can be considered the "root" of other chains. Note
    that receiving agents SHOULD NOT simply trust any self-signed
    certificates as valid CAs, but SHOULD use some other mechanism
    to determine if this is a CA that should be trusted.

 In fact, I think you are overestimating when you suggest that today's
deployed S/MIME v2 applications don't allow them. At the S/MIME testing at
MailConnect 3, I heard that some vendors accepted self-signed certs, and
others didn't. Deming, Microsoft, Netscape, and other developers are
encouraged to jump in here and say what their shipping receiving MUAs do
when mailed a self-signed cert.

But either way, what you're asking for is a change from the S/MIME v2 spec.
That might be fine with the WG, it might not. What do others say?

--Paul Hoffman, Director
--Internet Mail Consortium