I have no comments on the "design" in this draft.
However, I seriously question the idea to put client software
capabilities in certificates.
Why?
- because issuers may not have this information
- because users may have multiple clients
- because static solutions are limiting
If we begin to use dynamic methods like XKMS + DNS to find
public keys of recipients, SCEXT represents a step in another direction.
Due to the limited utility of true end-to-end encryption in corporate
environments (the DOMSEC RFC shows a few good reasons to that),
as well as the de-facto use of the web as a distribution medium for
e-government purposes (which is a much easier solution than S/MIME),
I believe that Microsoft should focus on making a gateway e-mail
standard a reality rather than patching a system that never will play
a major role and actually mostly creates problems for end-users and
system administrators.
Anders