ietf-smime
[Top] [All Lists]

Encrypted mail in Limbo

2003-01-30 02:24:02

As you probably have noticed, "authenticated" URLs are very
common in many places like for verifying e-mail addresses, often
in connection to a certain registration event.

In order to use other peoples' public keys for e-mail encryption,
I claim that none of the proposed systems [1] work well except in very
local (or very open) places due to privacy issues [2].

The problem is how to distribute "semi-secret" information in a
simple way.    It seems like a signed mail-address MIME-type could
be required for out-of-band distribution using a client "click" only.

  566655fe76adr5fyyeed655:bob(_at_)bobcorp(_dot_)test

Anders R

1] LDAP, XKMS, HTTP CertStore

2] X.500 directories is a bad idea from a privacy point of view.
That is, you typically have a limited set of trusted parties that
you may need to send encrypted messages to.   These partnerships 
have been established in ad-hoc out-of-band ways.  However, to
distribute passwords, client certificates for partners to use for
accessing your public key would be awfully complicated. 
"Authenticated" (hmac-signed lookup data) represent a reasonable
compromise between security and privacy.  Semi-secret data...

Or do you think that corporatations will publish keys for anybody
to access?  I'm doubt they will, except for a few contact "persons"
like info(_at_)acme(_dot_)com :-)


<Prev in Thread] Current Thread [Next in Thread>