[Top] [All Lists]

RE: Goal for S/MIME 2007?

2007-01-25 20:24:17

I think that in order to address that particular market we would have to spend 
a lot of time re-engineering S/MIME to be less strict. 

I don't want to make S/MIME looser. I want to work out a way to get people 
signing and encrypting their email. I don't particularly care what technology 
they use to do that.

S/MIME implementations lack a small amount of glue to make them more usable. If 
we can persuade the people deploying DKIM at the client end to add those small 
necessary pieces of glue to make the user experience seamless we end up with 
the best of both worlds, ubiquitous lightweight signatures, dependable 
transactional signatures and message encryption.

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Anders 
Sent: Thursday, January 25, 2007 4:31 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Goal for S/MIME 2007?

In theory S/MIME could be one "cure" against spam, viruses 
and phishing.

There are at least two things making this stay as "theory".

There is no S/MIME trust structure that works except rather 
locally, effectively making every person on the net a "PKI 
trust administrator".
Although the DoD have a solution ( ), few other 
organizations can spend huge amounts of tax-payer money just 
to prove that "it can be done", but are rather evaluating 
other options.

The unavailability of a cheap, mobile, secure and fully 
standardized container makes the certificate requirement a 
much too high bar.  That not even the financial sector have 
managed to deploy such schemes to more than 1-2% in spite of 
10+ years of on-line banking is in my opinion good enough as 
a proof.  The virtual explosion of Web-mail and mobile phone 
mail, actually makes the S/MIME-card-everywhere-vision more 
distant than ever.  Well, the DoD have no problems [of 
but who else would buy $200+ card-readers?

It might be interesting knowing that some governments have indeed
removed S/MIME from their C2G (Citizen-to-Government) PKI
schemes since they have noted that the web is a more powerful way
of delivering services as well as offering encryption for free.

Regarding the failed DOMSEC experimental RFC, I believe that it
[partly] failed because the authors did not realize that 
there already was
a globally working PKI they should have hooked into; the web-server
SSL PKI.  Imagine, securing an entire e-mail domain for a measly $100-
$200 annually!  Too simple, too obvious, and too commercial I guess.


<Prev in Thread] Current Thread [Next in Thread>