Marc Branchaud wrote:
Isn't PKIX doing this already? Does the stated goal ("maximizing...")
require more than what PKIX is doing?
Marc
The last time I looked at the PKIX stuff it didn't include a way to
state supported ciphers (someone please correct me if I'm wrong) e.g.
via some SMIMECapabilities variant.
If you just have the certificate via (e.g.) LDAP then you can't be sure
what ciphers are supported by the recipient: considering the SMIME v3/v2
differences in mandatory ciphers (3DES and RC2-40) this is important
IMHO.
Currently I think the only way to be sure is to send plaintext to the
recipient and get something signed in return including the capabilities.
This makes the directory certificate of little use: you could've done
that with just the email address.
--
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
Homepage: http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)bigfoot(_dot_)com
PGP key: via homepage.