Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA21443 for ; Tue, 12 Aug 2003 12:57:48 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7CGX0qt085744 for ; Tue, 12 Aug 2003 09:33:00 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7CGX0FA085743 for ietf-smime-bks; Tue, 12 Aug 2003 09:33:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f Received: from smtp2.fre.skanova.net (smtp2.fre.skanova.net [195.67.227.95]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7CGWxqt085730 for ; Tue, 12 Aug 2003 09:32:59 -0700 (PDT) (envelope-from anders.rundgren@telia.com) Received: from arport (t10o913p62.telia.com [213.64.27.182]) by smtp2.fre.skanova.net (8.12.9/8.12.9) with SMTP id h7CGWooe016255; Tue, 12 Aug 2003 18:32:50 +0200 (CEST) Message-ID: <001301c360ef$41128990$0500a8c0@arport> From: "Anders Rundgren" To: "Julien Pierre" , Cc: "Hallam-Baker, Phillip" References: <2A1D4C86842EE14CA9BC80474919782E01112FFC@mou1wnexm02.verisign.com> Subject: Re: dissemination of public encryption certificates Date: Tue, 12 Aug 2003 18:31:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-smime@mail.imc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Pierre, It is good to hear somebody bring up this question which is absolutely vital for successful deployment of encrypted mail. Personally I don't think that neither the S/MIME WG or XKMS WG have a solution that at least I would call "acceptable". XKMS addresses to some extent the enterprise scenario but only if the enterprise has their own domain and associated CA. For truly TTP-based certificates you are out of luck if you are looking for automated functionality. I believe that the mail protocol and associated applications should be augmented with encryption certificate lookup. A MIME X-extension that you configured in your e-mail client would do a part of this. I.e. each time you sent a mail, the lookup would be transmitted as well. Also it would be nice to have an enhanced "mailto:" URL supporting the same mechanism. In summary I think that a certificate-independent configuration of e-mail clients would be more universal than "fishing" in domains as the user domain and issuer domain may be entirely disjunct. Anders ----- Original Message ----- From: "Hallam-Baker, Phillip" To: ; Sent: Tuesday, August 12, 2003 01:55 Subject: RE: dissemination of public encryption certificates Hi, This issue is one of the main use cases for XKMS. This has considerable support within the PKI community, VeriSign, Microsoft, RSA, Entrust and Baltimore have been involved in writing the specification which is in the final post last call stage in W3C. The (almost) final spec is to be found at http://www.w3.org/2001/XKMS/Drafts/XKMS20030804/xkms-part-1.html http://www.w3.org/2001/XKMS/Drafts/XKMS20030804/xkms-part-2.html There will be two further changes to the spec, one to make a minor tweak to the schema sometime this week, the second to change the examples to use exclusive C18N. An XKMS locate service may be advertised in the DNS using the SRV record. So to send mail to alice@example.com you do an XKMS locate to _xkms_http._tcp.example.com. That gives you the XKMS service. You then do a locate for a certificate to be used with S/MIME. Phill > -----Original Message----- > From: jpierre@netscape.com [mailto:jpierre@netscape.com] > Sent: Friday, August 08, 2003 10:07 PM > To: ietf-smime@imc.org > Subject: dissemination of public encryption certificates > > > Hi, > > Since this is my first posting to this mailing list, let me introduce > myself : > > I'm a software engineer in AOL / Netscape and one of my > responsibilities > for several years has been to maintain the open source > Netscape Security > Services (NSS) library, which is used in the Mozilla browsers, many > Netscape and Sun servers, and other internal products. The > NSS library > contains an implementation of S/MIME v3. > > I was wondering what thoughts you may have on the following problem : > > If I have a keypair and e-mail certificate, and I want to > send encrypted > e-mail to somebody knowing his e-mail address, what's a > systematic way > to obtain the recipient's encryption certificate ? > > Traditionally today, signed e-mail messages typically contain the > signer's public encryption certificate. However that means one party > needs to first send a signed unencrypted, e-mail message to > transmit the > public encryption certificate before both parties can > exchange encrypted > messages. > > There are also ways to find recipient certificates today > using corporate > directory servers, but users must know about them and > manually configure > them in their applications, and they are typically not widely > available > on the Internet. > > I'm envisioning some standardized scheme where, by starting with the > recipient's email address, it would be possible to locate a public > directory server, then find the recipient's certificate by > looking it up > in that directory server. > > My main question is : has any similar scheme been proposed ? I would > rather work with something that exists, but if there is nothing that > fits, I'm open to writing an RFC. > > Also, what are the other ways that people locate recipient > S/MIME e-mail > encryption certificates ? > > Thanks. > > >