Pierre,
It is good to hear somebody bring up this question which is absolutely
vital for successful deployment of encrypted mail.
Personally I don't think that neither the S/MIME WG or XKMS WG
have a solution that at least I would call "acceptable".
XKMS addresses to some extent the enterprise scenario but only
if the enterprise has their own domain and associated CA. For
truly TTP-based certificates you are out of luck if you are looking
for automated functionality.
I believe that the mail protocol and associated applications
should be augmented with encryption certificate lookup. A
MIME X-extension that you configured in your e-mail client
would do a part of this. I.e. each time you sent a mail, the
lookup would be transmitted as well. Also it would be
nice to have an enhanced "mailto:"; URL supporting the same
mechanism.
In summary I think that a certificate-independent configuration
of e-mail clients would be more universal than "fishing" in
domains as the user domain and issuer domain may be entirely
disjunct.
Anders
----- Original Message -----
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
To: <jpierre(_at_)netscape(_dot_)com>; <ietf-smime(_at_)imc(_dot_)org>
Sent: Tuesday, August 12, 2003 01:55
Subject: RE: dissemination of public encryption certificates
Hi,
This issue is one of the main use cases for XKMS. This has
considerable support within the PKI community, VeriSign, Microsoft, RSA,
Entrust and Baltimore have been involved in writing the specification
which is in the final post last call stage in W3C.
The (almost) final spec is to be found at
http://www.w3.org/2001/XKMS/Drafts/XKMS20030804/xkms-part-1.html
http://www.w3.org/2001/XKMS/Drafts/XKMS20030804/xkms-part-2.html
There will be two further changes to the spec, one to make a
minor tweak to the schema sometime this week, the second to change the
examples to use exclusive C18N.
An XKMS locate service may be advertised in the DNS using the
SRV record. So to send mail to alice(_at_)example(_dot_)com you do an XKMS
locate
to _xkms_http._tcp.example.com.
That gives you the XKMS service.
You then do a locate for a certificate to be used with S/MIME.
Phill
-----Original Message-----
From: jpierre(_at_)netscape(_dot_)com [mailto:jpierre(_at_)netscape(_dot_)com]
Sent: Friday, August 08, 2003 10:07 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: dissemination of public encryption certificates
Hi,
Since this is my first posting to this mailing list, let me introduce
myself :
I'm a software engineer in AOL / Netscape and one of my
responsibilities
for several years has been to maintain the open source
Netscape Security
Services (NSS) library, which is used in the Mozilla browsers, many
Netscape and Sun servers, and other internal products. The
NSS library
contains an implementation of S/MIME v3.
I was wondering what thoughts you may have on the following problem :
If I have a keypair and e-mail certificate, and I want to
send encrypted
e-mail to somebody knowing his e-mail address, what's a
systematic way
to obtain the recipient's encryption certificate ?
Traditionally today, signed e-mail messages typically contain the
signer's public encryption certificate. However that means one party
needs to first send a signed unencrypted, e-mail message to
transmit the
public encryption certificate before both parties can
exchange encrypted
messages.
There are also ways to find recipient certificates today
using corporate
directory servers, but users must know about them and
manually configure
them in their applications, and they are typically not widely
available
on the Internet.
I'm envisioning some standardized scheme where, by starting with the
recipient's email address, it would be possible to locate a public
directory server, then find the recipient's certificate by
looking it up
in that directory server.
My main question is : has any similar scheme been proposed ? I would
rather work with something that exists, but if there is nothing that
fits, I'm open to writing an RFC.
Also, what are the other ways that people locate recipient
S/MIME e-mail
encryption certificates ?
Thanks.