[Top] [All Lists]

Re: Need for secured email delegation workflow

2017-07-15 08:53:19

Yoav Nir <ynir(_dot_)ietf(_at_)gmail(_dot_)com> wrote:
    >> OpenPGP format permits a (public) key blog on contain many signing
    >> (sub)keys, and so distributing a public key with a set of subkeys
    >> where the private keys are stored into laptops and phones, etc. would
    >> work.

    >>> You end up reading encrypted mail only using one MUA, which is one
    >>> more thing dragging the use of S/Mime down.

    >> Agreed; I'm not sure if PKIX has a subkey concept.  I suspect it's in
    >> a standard, but I'm unclear if it was ever deployed.

    > That works OK for signatures, but for encryption?  You’d have to
    > encrypt the message with each subkey.  Yeah, I know only the symmetric
    > key gets encrypted but it’s still ugly.

I'm pretty sure that the spec already says to do that.

    > And we haven’t even mentioned the web MUA and where it stores the
    > private keys.

There are existing S/MIME and PGP plugins and extensions for browsers that do
this.  I'm aware of one that has received significant commercial success in
some quarters.  I think that they can use the javascript local storage for
private keys, but I suspect that they also have options to store them
encrypted elsewhere.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr(_at_)sandelman(_dot_)ca        |   ruby on 
rails    [

Michael Richardson <mcr+IETF(_at_)sandelman(_dot_)ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>