ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: S/MIME key distribution proposal

2007-11-22 15:14:22
from [Anders Rundgren] [Permanent Link] 

If this is good or not depends on what you want to achieve.

If the goal is establishing confidential communication between a limited number 
of parties it seems that on-line based schemes (IM,
Skype) tailored after TLS could also be a viable alternative.   Message 
encryption is a PITA and doesn't really work for the
mass-market due to the absence of a working key recovery scheme.

For ordinary enterprise-messaging server-to-server encryption is the only 
realistic alternative in order to comply with various
information leakage and content control policies that are currently being put 
in place.  Massive use of end-to-end encryption is
simply not feasible no matter how useful it may appear to be.

Another fly in Ian's soup is that the US government (which is the entity who 
have thrown the most money on this since long dead
horse called S/MIME) so far haven't actually published their keys.  BTW, in 
this context it is worth mentioning that for citizens,
you rather often deal with a department rather than an officer since you 
typically do not know the government people that well.
The only working and [almost] established way of securely communicating with a 
department is through the web.

It seems that S/MIME encryption works fine for communities having strong IT 
support.  On the Internet it doesn't work equally well
and has also been displaced by the web.  On the Internet we primarily need to 
improve authentication and reducing spam.

AR

----- Original Message ----- 
From: "Peter Gutmann" <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz>
To: <ietf-smime(_at_)imc(_dot_)org>
Sent: Thursday, November 22, 2007 15:50
Subject: S/MIME key distribution proposal



https://financialcryptography.com/mt/archives/000966.html

  If an email can be used to send the key (signed), then why can't an email be
  used to request a key? Imagine that we added an email convention, a little
  like those old maillist conventions, that did this:

    Subject: GETSMIME fc(_at_)example(_dot_)com

  and send it off. A mailclient like Thunderbird could simply reply by
  forwarding the key. (How this is done is an exercise for the reader. If you
  can't think of 3 ways in the next 3 minutes, you need more exercise.)

Seems like a very simple, straightforward way to automate getting someone's
key for S/MIME email purposes.  Is it worth doing this as an RFC to get it
standardised in mailers?

Peter.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  S/MIME key distribution proposal, Peter Gutmann
Next by Date:  Re: S/MIME key distribution proposal, Peter Gutmann
Previous by Thread:  S/MIME key distribution proposal, Peter Gutmann
Next by Thread:  Re: S/MIME key distribution proposal, Peter Gutmann
Indexes:  [Date] [Thread] [Top] [All Lists]