-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Julien
Pierre
Sent: Friday, August 08, 2003 7:07 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: dissemination of public encryption certificates
If I have a keypair and e-mail certificate, and I want to
send encrypted
e-mail to somebody knowing his e-mail address, what's a
systematic way
to obtain the recipient's encryption certificate ?
Systematic is an interesting choice of words ;).
I have seen LDAP work (if properly configured). For the most part, the
most reliable way I've seen is for an intended recipient to send a
signed message containing their encrypting certificate (which you are
about to point out ;)).
Traditionally today, signed e-mail messages typically contain the
signer's public encryption certificate. However that means one party
needs to first send a signed unencrypted, e-mail message to
transmit the
public encryption certificate before both parties can
exchange encrypted
messages.
Yup.
There are also ways to find recipient certificates today
using corporate
directory servers, but users must know about them and
manually configure
them in their applications, and they are typically not widely
available
on the Internet.
Yup.
I'm envisioning some standardized scheme where, by starting with the
recipient's email address, it would be possible to locate a public
directory server, then find the recipient's certificate by
looking it up
in that directory server.
I believe that at least one proposal exists for this in the PKIX working
group -- look at the operational protocols for certificate store access.
My main question is : has any similar scheme been proposed ? I would
rather work with something that exists, but if there is nothing that
fits, I'm open to writing an RFC.
Check out PKIX. They're not taking new drafts, but there may be
something useful for you there. Any work along these lines would most
likely be handled by that working group.
Blake