Hi Paul,
First motivation is an observation that there a number of scenarios where the
natural course of action would be to send some information in a message which
is covered by one or more polices. We see that email is not being used in these
casas or is being used with some risk of non-compliance because of the lack of
policy enforcement. Those polices may be for example a regulatory policy, or an
organization policy or both. The duty to enforce the policy is asymmetric by
that I mean the onus is on the sender to ensure the information is only
released when the other parties have passed the policy requirements. With ESS
today the onus is on the recipient to not read the email. With content
published on the web, the requestor has to convince the web site to release the
information and we want to use the same model for email. I am working with a
number of Aerospace and Defense companies which has as an industry adopted
S/MIME for email. This is delivering well as far as the existing
standard can but we have found it lacking when it comes to delivering
regulatory compliance. I have discussed the same issues with representative
from other verticals such as healthcare and they have agreed with the
observations.
Another motivation is the observation that we still have many situations where
users don't have X.509 certificates and are hence prevented from participating
in S/MIME. With abstraction models such as SAML, it is now possible for the
specifics of the authentication to be abstracted from an application. If we can
deliver the same benefit to email as SAML has delivered to the web we can
switch the requirement to users having a policy conformant credential and the
relying part does not care what. It could be OTP or biometric or whatever as
long as it's the required strength rather than it MUST be an X.509 certificate.
Overall we are looking to convergence of email and the web from a policy
perspective. If you publish some content with the web or send it via email the
same policies need apply. The same sets of attribute you use to access web for
access control policy content should get you the same content via email.
We think we can achieve the objectives and, within the scope of policy, and be
backwards compatible with the existing standard. If the sender is convinced
some set of recipients pass the policy check and they can find X.509
certificates, they can use the existing mechanism else you use the new
mechanism. We believe we can mix both on the same message.
Trevor
-----Original Message-----
From: smime-bounces(_at_)ietf(_dot_)org
[mailto:smime-bounces(_at_)ietf(_dot_)org] On Behalf Of Paul Hoffman
Sent: Friday, January 21, 2011 9:38 AM
To: smime(_at_)ietf(_dot_)org
Subject: Re: [smime] FW: I-D
Action:draft-freeman-message-access-control-req-00.txt
On 1/21/11 9:27 AM, Trevor Freeman wrote:
This should be of interest to members of the members of the list.
Should be, yes. Could you explain a bit of the motivation for the document? Is
there a particular regulatory driver for this, or just a general desire to make
this available? Knowing this would help people understand your design and
possibly make comments on it.
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime