"Craig McGregor" <Craig(_dot_)McGregor(_at_)treasury(_dot_)govt(_dot_)nz>
writes:
Is anyone aware of any similar implementations of DOMSEC in other
'communities' that have similar paranoia/security requirements? I think there
was something similar used for Health care in parts of the US?
There are a number of independent reinventions of DOMSEC (or DOMSEC-type
mechanisms) by S/MIME gateway vendors around (is there any vendor of such a
product who hasn't done something similar somewhere? You more or less need to
do this at some point). It's one of these things where implementors have
quietly gone out and fixed the problem (unfortunately probably in mostly
incompatible ways) while the standardisation effort was mired in politics and
pie-throwing.
This may have created a somewhat unfortunate situation where vendors already
have their own solutions and aren't too interested in a push for a single
standard approach, and even if someone were to push for a standards-track
design, everyone would feel the need to push their own products' approach as
the One True Solution (currently it's relatively clean and simple because it
was done by one or two people with a single design in mind). It could get
really messy, ending up as either a one-size-misfits-all design-by-committee
mess or something that vendors ignore because it conflicts with their existing
in-house design that they've had deployed for years.
So is it something that needs a proper standards-track RFC: Yes, definitely.
Would creating one at this point be effective: In the short term probably not.
In the long term it would certainly be nice to have for future
implementations and future deployments.
Peter.