On Fri, Jan 23, 2015 at 1:45 PM, Paul Hoffman
<paul(_dot_)hoffman(_at_)vpnc(_dot_)org> wrote:
Having a place where everyone sends signed mail with their certificate is
a bad idea: people will think that it is a good source of certificates,
which it is not.
Having said that, a service that receives an email, a human vets it
slightly, and then there is a round-trip test that the purported sender can
receive mail at that address and respond to it, seems reasonable. It would
just as well for OpenPGP. Someone who trusts that the service is adequately
run could use it to get certs, and maybe even tell people to use.
+1
What you describe is a CA in that it issues certs. Much better to have a
low fidelity CA than no CA at all.
Comodo is currently providing free S/MIME certs to individuals which is
inside the PKIX model.
For private individuals giving certifications, I would prefer to move
outside the PKIX syntax and define a new structure, an 'endorsement'. There
is no value to doing that in ASN.1 and we don't want to do path math or
chain construction on them. But they are incredibly valuable.
I'm not volunteering to design or write this, but would be willing to
kibbitz on drafts.
There is recent precedence for such a service: see <https://keybase.io>.
I'm "paulehoffman" on that service, and have two invites left if folks are
interested. It is a bigger picture than what is being proposed here, and is
having birthing pains, but so far seems useful.
One bit of missing glue is whether a recipient prefers to receive encrypted
mail. Right now I only have some of my mail clients supporting S/MIME and
so I really don't want encrypted mail unless it is important that it be
confidential.
Reading encrypted mail on a webmail interface is not too difficult, its
just a different media reader. Authoring is harder.
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime