"If we can persuade the people deploying DKIM at the client"
Putting DKIM in the client is IMHO not the right medicine. Any scheme that
requires locally stored keys essentially suffer from the same basic problem;
that we [still] have no [reasonable] mechanism for carrying such keys.
"dependable transactional signatures"
Transactions are typically performed by transaction systems. Due to this, I
cannot really see that S/MIME will play an important role in a future IT
landscape.
"I don't want to make S/MIME looser"
Neithe do I but it is enough that a message from john(_at_)example(_dot_)com
is really coming from the example.com domain and is encrypted during its
transport to the reveiver domain. Well, this probably only caters for some
99.9% of all use-cases, but for most people that is "good-enough". If a
0.1% "market-share" will keep S/MIME alive and kicking is yet to see.
I would not bet on it at least.
Anders R
----- Original Message -----
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
To: "Anders Rundgren" <anders(_dot_)rundgren(_at_)telia(_dot_)com>;
<ietf-smime(_at_)imc(_dot_)org>
Sent: Friday, January 26, 2007 03:52
Subject: RE: Goal for S/MIME 2007?
I think that in order to address that particular market we would have to spend
a lot of time re-engineering S/MIME to be less
strict.
I don't want to make S/MIME looser. I want to work out a way to get people
signing and encrypting their email. I don't particularly
care what technology they use to do that.
S/MIME implementations lack a small amount of glue to make them more usable. If
we can persuade the people deploying DKIM at the
client end to add those small necessary pieces of glue to make the user
experience seamless we end up with the best of both worlds,
ubiquitous lightweight signatures, dependable transactional signatures and
message encryption.
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Anders
Rundgren
Sent: Thursday, January 25, 2007 4:31 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Goal for S/MIME 2007?
In theory S/MIME could be one "cure" against spam, viruses
and phishing.
There are at least two things making this stay as "theory".
1.
There is no S/MIME trust structure that works except rather
locally, effectively making every person on the net a "PKI
trust administrator".
Although the DoD have a solution (
http://www.certipath.com/services.htm ), few other
organizations can spend huge amounts of tax-payer money just
to prove that "it can be done", but are rather evaluating
other options.
2.
The unavailability of a cheap, mobile, secure and fully
standardized container makes the certificate requirement a
much too high bar. That not even the financial sector have
managed to deploy such schemes to more than 1-2% in spite of
10+ years of on-line banking is in my opinion good enough as
a proof. The virtual explosion of Web-mail and mobile phone
mail, actually makes the S/MIME-card-everywhere-vision more
distant than ever. Well, the DoD have no problems [of
course],
http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_det
ail-83.html
but who else would buy $200+ card-readers?
It might be interesting knowing that some governments have indeed
removed S/MIME from their C2G (Citizen-to-Government) PKI
schemes since they have noted that the web is a more powerful way
of delivering services as well as offering encryption for free.
Regarding the failed DOMSEC experimental RFC, I believe that it
[partly] failed because the authors did not realize that
there already was
a globally working PKI they should have hooked into; the web-server
SSL PKI. Imagine, securing an entire e-mail domain for a measly $100-
$200 annually! Too simple, too obvious, and too commercial I guess.
AR