S/MIME gateway software in the context of a 'closed-community' is a
proven method of authenticating the sending domains of e-mail messages
and has been effective at blocking increased volumes of spoofed e-mail
messages (providing they were sent from a participating
domain). And of
cause using S/MIME encryption protects one from in-transit
Quite, and don't forget that TLS can add value.
Applying what is quite managable in a 'closed-community' for an
Internet-wide deployment would be somewhat more challenging though.
Particularly around certificate deployment, trust-chains and
auto-discovery (assume DNS for internet-wide; a
use LDAP). I think that is why domain keys proposes to trust
DNS data as
being authorative without any further validation.
Storing keys in the DNS has its place, any technique to obtain
a rough authentication of a domain key is worthwhile. I do not
think the technique works when you get down to the user level.
I entirely disagree on the LDAP issue. I think that LDAP has
had its chance as an Internet protocol and the use that it has
found will never pass beyond the firewall (which contrary to
some thought will not go away).
LDAP is a BAD certificate discovery protocol. It provides none
of the support that is really needed, except in the simplest
trust models where support is unnecessary. XKMS does the job much
better. SCVP might prove to be of use, but the time for deploying
new ASN.1 based protocols has gone. We have seen the future and
it has angle brackets arround it.