vaibhav singh <vaibhavsinghacads(_at_)gmail(_dot_)com> wrote:
> Another question which I was not clear about was how S/MIME would be
> integrated with delegation. For example, suppose the delegate were to
> create a signed email on behalf of the manager, in which case the
> manager would have to share his private key with the delegate. This
> would definitely not be secure.
It is possible to have more than one certificate issued for a given DN,
but usually we try to avoid such things. Some variation of this is probably
the right answer. You'll have to talk to an enterprise CA provider to
understand if they do anything. I suspect that if you can make contact
with the microsoft certificate authority people (I don't know them), they
will know if they have solved this problem.
I'm not sure if you read this part:
mcr> This seems like it might be the space for a SAML assertion.
mcr> I believe that many IMAP servers use small subsets of SAML to provide
mcr> ACLs, and it would fit right in there. I suspect that there is space
mcr> an RFC about how to do this in a standard way.
Michael Richardson <mcr+IETF(_at_)sandelman(_dot_)ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
Description: PGP signature