ietf-smime
[Top] [All Lists]

RE: dissemination of public encryption certificates

2003-08-11 16:55:56
Hi,

        This issue is one of the main use cases for XKMS. This has
considerable support within the PKI community, VeriSign, Microsoft, RSA,
Entrust and Baltimore have been involved in writing the specification
which is in the final post last call stage in W3C.

        The (almost) final spec is to be found at 
        http://www.w3.org/2001/XKMS/Drafts/XKMS20030804/xkms-part-1.html
        http://www.w3.org/2001/XKMS/Drafts/XKMS20030804/xkms-part-2.html

        There will be two further changes to the spec, one to make a
minor tweak to the schema sometime this week, the second to change the
examples to use exclusive C18N.

        An XKMS locate service may be advertised in the DNS using the
SRV record. So to send mail to alice(_at_)example(_dot_)com you do an XKMS 
locate
to _xkms_http._tcp.example.com.
That gives you the XKMS service.

        You then do a locate for a certificate to be used with S/MIME.

                Phill


-----Original Message-----
From: jpierre(_at_)netscape(_dot_)com [mailto:jpierre(_at_)netscape(_dot_)com]
Sent: Friday, August 08, 2003 10:07 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: dissemination of public encryption certificates


Hi,

Since this is my first posting to this mailing list, let me introduce 
myself :

I'm a software engineer in AOL / Netscape and one of my 
responsibilities 
for several years has been to maintain the open source 
Netscape Security 
Services (NSS) library, which is used in the Mozilla browsers, many 
Netscape and Sun servers, and other internal products. The 
NSS library 
contains an implementation of S/MIME v3.

I was wondering what thoughts you may have on the following problem :

If I have a keypair and e-mail certificate, and I want to 
send encrypted 
e-mail to somebody knowing his e-mail address, what's a 
systematic way 
to obtain the recipient's encryption certificate ?

Traditionally today, signed e-mail messages typically contain the 
signer's public encryption certificate. However that means one party 
needs to first send a signed unencrypted, e-mail message to 
transmit the 
public encryption certificate before both parties can 
exchange encrypted 
messages.

There are also ways to find recipient certificates today 
using corporate 
directory servers, but users must know about them and 
manually configure 
them in their applications, and they are typically not widely 
available 
on the Internet.

I'm envisioning some standardized scheme where, by starting with the 
recipient's email address, it would be possible to locate a public 
directory server, then find the recipient's certificate by 
looking it up 
in that directory server.

My main question is : has any similar scheme been proposed ? I would 
rather work with something that exists, but if there is nothing that 
fits, I'm open to writing an RFC.

Also, what are the other ways that people locate recipient 
S/MIME e-mail 
encryption certificates ?

Thanks.



Attachment: smime.p7s
Description: S/MIME cryptographic signature