-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In message <alpine.OSX.2.11.1603102243510.636@ary.local>, John R Levine
<johnl(_at_)taugh(_dot_)com> writes
In my
experience, even those of us with a zillion inbound addresses don't use
all that many addresses for outbound mail, so it's practical to enumerate
them all in certificates.
it's not uncommon to use destination specific addresses which are
invented in an ad hoc manner
john+ietfsmtplist AT taugh.com
and there's a fair amount of support in MTAs for handling the replies
for this usage (although "+" is the de facto scheme; I've seen other
characters).
So you'd probably want some sort of wildcarding in the enumeration (and
that way of course lies madness [if we weren't there already])
For encryption of inbound mail, it doesn't matter what address is in the
certificate; if the recipient can decode the message it's the right one,
otherwise it's not. So the sender can ask the domain's key oracle for a
certficate for the address, the key oracle applies local rules and
provides a certificate that might have the exact requested address, or
might have another address that goes to the same recipient.
one of the reasons that I like non-oracle non-automated schemes is that
I encrypt only some email (shock horror!) and so when I am about to send
a message to Fred and it is not encrypted then I realise I have the
wrong Fred ... and I re-consult my address book. Oracles and automation
lead to perfectly secure messages on the wire being sent to totally the
wrong place (where they will be decrypted just fine) whether you
implement that in the MUA or by consulting MTAs.
viz: there's important human factors here. Now if that's entirely out
of scope then automate away...
If you think cryptography is the solution to your problem, then you
don't understand cryptography and you don't understand your
problem" - Roger Needham and Butler Lampson
- --
richard Richard Clayton
Those who would give up essential Liberty, to purchase a Benjamin
little temporary Safety, deserve neither Liberty nor Safety. Franklin
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBVuKzpDu8z1Kouez7EQKYywCfRdLU7xUZX2lF5cPnLcEziwFZcPAAoKgG
w/OU8SroFXeiHXLXXDqm9guq
=+H+a
-----END PGP SIGNATURE-----
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp