So an authoritative service makes sense in an Enterprise context, but not in a
consumer context. How do you preserve consumer choice if Yahoo! owns their
email service, but they want to certify keys elsewhere?
Welcome to the key semantics undrainable swamp of despair.
If the domain says "I'm authoritative for all my users" and one of the
users says "no you're not", there's no mechanical way to resolve that.
You can punt to the user, which is known not to work ("Accept domain
self-signed key for igor(_at_)example(_dot_)org gargle jargon blurch OK!") or else
you can appeal to a credible third party. Except the third parties are
CAs and they're not as credible as we might wish.
This is why the draft tip-toes around the edge of the swamp, for fear of
falling in.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime