ietf
[Top] [All Lists]

Re: Why are mail servers not also key servers?

2017-04-21 12:00:49
I just wanted to second the draft-bhjl-x509-srv approach as preferable as
opposed to a new SMTP extension.  That draft calls for transport of the
certificate request and response to be over HTTPS.  As HTTPS is based on
Web PKI and generally has more up-to-date crypto (due to the ecosystem)
that traffic will stay private.  SMTP uses STARTTLS which has stripping
problems, and its PKI is worse off.  There's a lot of self signed certs
there making certificate path validation problematic.  Just my two cents.

-Wei

On Thu, Apr 20, 2017 at 1:54 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:

In article <FC831208-97A3-4F1B-A37C-F8646C3FB208(_at_)gmail(_dot_)com> you 
write:
SMTP servers could be key servers without having the private key of
individuals?

Sure. If they double as HTTPS servers.

As others have noted, this topic has come up more than a few times before.

Here's a recent draft we wrote for a simple per domain https key
server, based almost entirely on existing standards.  It distributes
public keys.  Managing your private keys on all of your MUAs remains
as intractable a problem as it's always been.

https://datatracker.ietf.org/doc/draft-bhjl-x509-srv/

R's,
John


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature