On Wed, Mar 23, 2016 at 3:23 PM, John R Levine <johnl(_at_)taugh(_dot_)com>
wrote:
Could Yahoo! (in this example) not provide a means for their users to
update the key lookup service? As the user is authenticated through their
UI, he or she could upload the keys they want in a secure way.
Sure, and then Yahoo would serve the keys the users provide.
R's,
John
PS: Except for the MITM keys intalled by government order or rogue
employees.
If this is part of the threat model, Coniks has some ideas about auditing
key services against what they term equivocation or presenting different
keys to different users. The other aspect albeit in the far future one
could try to replicate what has been done with WebPKI which in my opinion
has been effective against those threats, and create a broad trusted anchor
eco-system with strong enforcement.
-Wei
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime