On Wed, Sep 23, 2015 at 4:03 PM, Melinda Shore
<melinda(_dot_)shore(_at_)gmail(_dot_)com>
wrote:
I think I'd understand the objections and agree with many of
the concerns being expressed if this were a standards-track
document, but it's not. It specifies a record type for
experimental purposes, to increase the likelihood that people
playing around with implementation implement the same things.
It's somewhere between annoying and frustrating that an
experimental document is being held to the same level of
baked-ness that we expect of an internet standard.
I have already seen this experiment being used as an argument to drop
support for S/MIME roots in a root store.
The earlier projects that raised my concern were also 'experimental' or
otherwise outside standards track.
I have no problem with the draft going forward, provided that there is a
statement that I and other people making proposals can point to stating
that this is not going to block other approaches.
For example, if you have an organization that is hierarchical such as the
US federal government, the simplest way to deploy end-to-end email in the
organization would be to deploy a PKIX CA to issue S/MIME certificates,
store the certificates in a Web server [*] and stick the address of the web
server and the fingerprint of the intermediate KSK in a DNS record.
With this approach you have a separation in the service protocols that
matches the separation of duties in the typical enterprise. DNS is an
infrastructure that describes services, not an enterprise that describes
people.
[*] not a directory, not X.500, not LDAP, no a Web server that works and
does not require a $50,000 consult to configure it. X.500 directory was the
best wheeze the NSA ever had to sabotage PKI deployment and LDAP is just as
bad.