Jim,
apologies for the delay. I've been on vacation and have just salvaged
your email from the 800 or so spams that were waiting for me :-) I also
got over enthusiastic about my mail box management and succeeded in
deleting the original of this. The headers are munged because I recovered
this text from the IETF archive!
Jim Schaad wrote:
I hope there is a great deal more to this than what you are stating for
a Best Practice recommendation.
Indeed. I did say it was 'a' recommendation without alluding to the
others, some of which concern the management of the root CA certificate
store.
1. Acceptance of root certificates by end-users is a real problem.
They tend to say yes without any good reason to do so. This means that
it is easy to stick "bad" root certificates on a persons machine
I agree completely. At the organisation level, however, the management
of the Root CA store is a administrative policy issue rather than a
technical one. The inclusion of the trust chain with outgoing emails
facilitates the distribution of trust in the continued absence of a
global recovery mechanism. It does not preclude correct and secure usage
of such paths, in-line with policy, at the recipient device.
If you are really working in a single structure, then this information
should be automatically distributed to people's machines and not send
from the sender.
By a single structure do you mean a single organisation or a single
trust tree ? Policy should certainly be managed centrally although I'm
unconvinced that many organisations really understand the future,
legal implications of permitting their end-users to grow their own Root
CA stores. As you imply, we are not yet anywhere near widespread, correct
usage. In the main this is due to the fact that Digital Certificates are
still being used in many areas merely as technology enablers rather than
the trust mechanisms that they are designed to be. As such, acceptance of
trust (and thus liability) by end users is too easy and uncontrolled and
simply allows the software to work rather than trust be maintained.
Chris
Royal Mail is a trading name of Royal Mail Group plc. Registered in England and
Wales.
Registered number 4138203. Registered office at 148 Old Street, LONDON EC1V 9HQ