I think the benefits of an authoritative server out weighs the worries that
you suggest. In the web world, its been very helpful to be certain what
one should chain up via browser certificate pinning or HPKP. A whole host
of malfeasance was found this way. Even in the limited use that S/MIME has
today, in government and defense, its likely to be very useful.
The only thing that depends on DNSSEC for trust is the new option for a
domain to publish a S/MIME signing key for its users' keys. Lacking
DNSSEC, the traditional CA PKI is still there.
If the WG thinks the domain's key should be authoritative, that'd be fine
with me. We didn't want to make any unilateral changes to the trust model
without it being clear that it's a change and that there's consensus
behind it.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime