spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: S/MIME Gateway Profile / Yahoo DomainKeys

2004-05-06 07:15:18
from [Hallam-Baker, Phillip] [Permanent Link] 
Recently a domain-to-domain version has been announced:

  
http://www.opengroup.org/messaging/sm/smgdev/doc.tpl?CALLER=in

dex.tpl&gdid=4657


But it still looks heavyweight compared to Yahoo DomainKeys.


And it is not supported by the legacy base.


Wouldn't it be great if S/MIME could, instead of requiring a
cumbersome and O(n^2) initial key exchange between domains, make use
of opportunistic "oh, look, and here's the cert in DNS"?


Or alternatively, 'Oh look here is where I find the location
of the cert directory for the zone via DNS'. This is what the
XKMS work at W3C was all about.


Oh, and instead of "cert" read "self-signed public key".


That would be a self signed cert.

It is pretty easy to generate self signed certs if you have office
installed and know how to use the cert generator.

What I would like to see in MUAs is:

1) Every MUA MUST at least tolerate multipart/signed messages,
        if the mechanism is not understood then the signature should
        be ignored silently.

2) MUAs should support S/MIME peer to peer, including
        The ability to generate a cert request and forward to a CA
        The ability to generate a self signed certificate
        The ability to forward either to a local cert repository

3) MUAs should support S/MIME signature
        But failure of a signature should not disrupt the user interface
                unless it is known that all mail from that domain is signed.

4) MUAs should support S/MIME encryption
        The ability to locate the necessary encryption key via the
                relevant cert repository obtained via DNS.


The idea of XKMS is to make this all possible and fluent. It should
be possible to set a mail client to sign and encrypt whenever the 
recipient is known to support S/MIME.


Then maybe we'd get the benefits of the Yahoo DK infrastructure but
leverage the existing S/MIME base.


This looks like it will happen, the driving function here being 
the phishing area.

Before phishing I thought that DK was the way forward to get some
crypto out there. As some of you probably know VeriSign had been
pushing AuthSender, a scheme that looks very much like DK for over
a year.

The phishing issue has suddenly created a need for something that
does provide end-to-end signature and is compatible with the installed 
base.

                Phill
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: S/MIME Gateway Profile / Yahoo DomainKeys, Meng Weng Wong
Next by Date:  RE: S/MIME Gateway Profile / Yahoo DomainKeys, Hallam-Baker, Phillip
Previous by Thread:  Re: S/MIME Gateway Profile / Yahoo DomainKeys, Meng Weng Wong
Next by Thread:  RE: S/MIME Gateway Profile / Yahoo DomainKeys, Dustin D. Trammell
Indexes:  [Date] [Thread] [Top] [All Lists]