I think that in order to address that particular market we would have to spend
a lot of time re-engineering S/MIME to be less strict.
I don't want to make S/MIME looser. I want to work out a way to get people
signing and encrypting their email. I don't particularly care what technology
they use to do that.
S/MIME implementations lack a small amount of glue to make them more usable. If
we can persuade the people deploying DKIM at the client end to add those small
necessary pieces of glue to make the user experience seamless we end up with
the best of both worlds, ubiquitous lightweight signatures, dependable
transactional signatures and message encryption.
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Anders
Sent: Thursday, January 25, 2007 4:31 PM
Subject: Re: Goal for S/MIME 2007?
In theory S/MIME could be one "cure" against spam, viruses
There are at least two things making this stay as "theory".
There is no S/MIME trust structure that works except rather
locally, effectively making every person on the net a "PKI
Although the DoD have a solution (
http://www.certipath.com/services.htm ), few other
organizations can spend huge amounts of tax-payer money just
to prove that "it can be done", but are rather evaluating
The unavailability of a cheap, mobile, secure and fully
standardized container makes the certificate requirement a
much too high bar. That not even the financial sector have
managed to deploy such schemes to more than 1-2% in spite of
10+ years of on-line banking is in my opinion good enough as
a proof. The virtual explosion of Web-mail and mobile phone
mail, actually makes the S/MIME-card-everywhere-vision more
distant than ever. Well, the DoD have no problems [of
but who else would buy $200+ card-readers?
It might be interesting knowing that some governments have indeed
removed S/MIME from their C2G (Citizen-to-Government) PKI
schemes since they have noted that the web is a more powerful way
of delivering services as well as offering encryption for free.
Regarding the failed DOMSEC experimental RFC, I believe that it
[partly] failed because the authors did not realize that
there already was
a globally working PKI they should have hooked into; the web-server
SSL PKI. Imagine, securing an entire e-mail domain for a measly $100-
$200 annually! Too simple, too obvious, and too commercial I guess.