ietf-smime
[Top] [All Lists]

Re: A good article on S/MIME implementation problems

2004-03-25 09:28:19

At 7:45 AM -0500 3/25/04, Russ Housley wrote:
1. The article gives the impression is that S/MIME is broken, and this is not the case. I would have been much happier with a title that conveyed problems with certificate issuing services and the ramifications of poor identity proofing. S/MIME is not the only security protocol that will suffer if the identity in a certificate is bogus.

We disagree that the article gives the impression that S/MIME is broken. Reading it, I came away with the impression that some S/MIME implementations are broken. Maybe I've been working with this too long and I know that S/MIME isn't broken.

2. As far as S/MIME is concerned, the email address is the identity. X.500 Distinguished Names are not helpful to the S/MIME application, as there are not any protocol fields that make use of this form of identity.

Exactly right. The fact that Thawte asks for, and some S/MIME applications use, it shows a disregard for the standard. They are blatantly ignoring the SHOULD NOT.

3. The fact that Outlook hides the only form of identity that is validated is the biggest problem.

Absolutely true, and pretty clear from the article.

Now that a script has been posted, maybe we should put some stronger language in MSGbis about the user interface.

That would be nice.

--Paul Hoffman, Director
--Internet Mail Consortium


<Prev in Thread] Current Thread [Next in Thread>