ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [smime] S/MIME publishing mailing list

2015-01-23 13:08:27
from [Phillip Hallam-Baker] [Permanent Link] 
On Fri, Jan 23, 2015 at 10:11 AM, Russ Housley 
<housley(_at_)vigilsec(_dot_)com> wrote:


The IETF Enroll WG was chartered to solve this problem, but it folded
before doing so.

http://datatracker.ietf.org/wg/enroll/charter/

We could get the ietf-enroll mail list reactivated if there is interest.




That is one approach. But I think the problem is a bit bigger than certs
and that we should try to share as much of the ACME work as possible.

What I am trying to do with PRISMProof is to

1) Make using S/MIME as easy and transparent as using regular mail.
2) End the trust model wars by enabling a trust model agnostic approach.

One consequence of (1) is that in the days where we all have multiple email
devices, we need to be able to read our mail on any one of them. That means
that the only feasible model is one in which we have one decryption key per
role that is shared across all the devices permitted to read mail in that
role.

Fortunately a direct consequence of (1) is that all the processes have to
be automated so that there is no user interaction except when initially
setting up a personal hierarchy and when attacking a device to it as
authorized to receive mail. That means that rotating the encryption key on
a weekly basis is quite practical. Provided that is, the trust model is
bound to a more permanent key.


So what I have working now is a command line program that when run will
automatically configure Windows Livemail (aka Outlook Express) to use
S/MIME. It would be easy to support other clients, that is just the one I
started with.

The only user parameter is an optional parameter for an external CA. By
default, self signed certs are generated. The next step is to hook them up
to a CA. Comodo has a free cert for S/MIME program and an API which is a
logical starting point. But the API is not JSON and it makes more sense to
have a single web service for S/MIME and TLS which I hope ACME will take
note of.


At the moment all messages go over HTTP. I see no advantage to using SMTP
for the purpose of managing certs and private keys. I am not aware of any
modern Internet device that is not capable of doing HTTP. Why make things
hard?

_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [smime] S/MIME publishing mailing list, Paul Hoffman
Next by Date:  Re: [smime] S/MIME publishing mailing list, Phillip Hallam-Baker
Previous by Thread:  Re: [smime] S/MIME publishing mailing list, Miller, Timothy J.
Next by Thread:  Re: [smime] S/MIME publishing mailing list, Michael Ströder
Indexes:  [Date] [Thread] [Top] [All Lists]