On Fri, 15 Aug 2003 00:28:48 +0200 Simon Josefsson <jas(_at_)extundo(_dot_)com>
wrote:
Since mail clients cannot find certificates for arbitrary users today,
I believe clients must be modified regardless of the solution chosen.
Yes.
Even here there is an advantage for DNS: mail clients already
implement DNS. There is no need to open ports in firewalls etc for
LDAP or XKMS. There is no need to implement new client code in the
mail client.
That is, regrettably, not accurate. Existing clients do very little but
hostname to address translation and service port location. I would be
very surprised if they did anything but gethostbyname and getservbyname
calls (or the platform API equivalent). It would be an addition to get
them to query and retrieve records directly.
Of course, this could be greatly aided by a freeware implementation on top
of bind that provided a nice simple "give me a cert for this email
address". It could do any of the approaches (direct cert from DNS, SRV
to LDAP server followed by LDAP lookup, SRV to xkms server followed by
xkms lookup). That would aid client developers and abstract things
nicely but still wouldn't guarantee uptake.
Whatever is done here, we have to convince Microsoft that it is a good
thing to do and not very hard. I saw a notice today that Microsoft has
officially terminated extension of Outlook Express. They want you to use
Outlook instead. That means that S/MIME support in Express is more or
less frozen ... I guess.
Cheers.
---
Steve Hole
Chief Technology Officer - Billing and Payment Systems
ACI Worldwide
<mailto:holes(_at_)ACIWorldwide(_dot_)com>
Phone: 780-424-4922