Having a place where everyone sends signed mail with their certificate is a bad
idea: people will think that it is a good source of certificates, which it is
not.
Having said that, a service that receives an email, a human vets it slightly,
and then there is a round-trip test that the purported sender can receive mail
at that address and respond to it, seems reasonable. It would just as well for
OpenPGP. Someone who trusts that the service is adequately run could use it to
get certs, and maybe even tell people to use.
I'm not volunteering to design or write this, but would be willing to kibbitz
on drafts.
There is recent precedence for such a service: see <https://keybase.io>. I'm
"paulehoffman" on that service, and have two invites left if folks are
interested. It is a bigger picture than what is being proposed here, and is
having birthing pains, but so far seems useful.
--Paul Hoffman
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime