ietf-smime
[Top] [All Lists]

Re: Goal for S/MIME 2007?

2007-01-25 14:57:26

In theory S/MIME could be one "cure" against spam, viruses and phishing.

There are at least two things making this stay as "theory".

1.
There is no S/MIME trust structure that works except rather locally,
effectively making every person on the net a "PKI trust administrator".
Although the DoD have a solution ( http://www.certipath.com/services.htm ),
few other organizations can spend huge amounts of tax-payer money just
to prove that "it can be done", but are rather evaluating other options.

2.
The unavailability of a cheap, mobile, secure and fully standardized
container makes the certificate requirement a much too high bar.  That
not even the financial sector have managed to deploy such schemes to
more than 1-2% in spite of 10+ years of on-line banking is in my opinion
good enough as a proof.  The virtual explosion of Web-mail and mobile
phone mail, actually makes the S/MIME-card-everywhere-vision
more distant than ever.  Well, the DoD have no problems [of course], 
http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_detail-83.html
but who else would buy $200+ card-readers?


It might be interesting knowing that some governments have indeed
removed S/MIME from their C2G (Citizen-to-Government) PKI
schemes since they have noted that the web is a more powerful way
of delivering services as well as offering encryption for free.

Regarding the failed DOMSEC experimental RFC, I believe that it
[partly] failed because the authors did not realize that there already was
a globally working PKI they should have hooked into; the web-server
SSL PKI.  Imagine, securing an entire e-mail domain for a measly $100-
$200 annually!  Too simple, too obvious, and too commercial I guess.

AR

<Prev in Thread] Current Thread [Next in Thread>