From: Dr Stephen Henson <shenson(_at_)bigfoot(_dot_)com>
Jeff Weinstein wrote:
Also keep in mind that many users will not have access to such a
repository, either because they have e-mail only connectivity, or
they are running offline when reading their mail. It seems like
a bad idea to build the assumption into S/MIME that everyone is
always connected to the global internet.
This can give S/MIME a bad reputation and discourage people from signing
anything. All too frequently a new user's first experience of S/MIME is
being flamed for wasting bandwidth by signing everything in a public
mailing list or newsgroup. By contrast the more compact PGP signatures
seem to be tolerated more.
The annoyance factor is crucial - Jeff may not believe it, but some
Luddite users (myself included) object to receiving HTML copies of
mail list / newsgroup traffic that could be conveyed just as clearly
in plain old ASCII.
With regards to connectivity, omitting certificates (optionally, of course)
does not lead to the assumption that everyone is always connected:
1) IMAP software could retreive certificates from a repository at the
same time messages are retreived from the message store. Since the
S/MIME Bag `o Certs isn't signed, clients wouldn't even need to know
whether the certs in a message were included by the sender or inserted
by an S/MIME-capable IMAP/POP server.
2) Most mail list, newsgroup, or personal messages are not first-time
postings. If you have received a signed message from someone before,
his/her certificate could already be in your local cache. In fact,
it is much more likely that a person's signing certificate
has already been seen than his encryption certificate and algorithm
Security must be as unobtrusive as possible, or it will be
laughed/cursed at, then discarded.