Re: PKI and S/MIME
"Anders Rundgren" <anders.rundgren@telia.com> Wed, 13 August 2003 17:46 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA27515 for <smime-archive@lists.ietf.org>; Wed, 13 Aug 2003 13:46:59 -0400 (EDT)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7DHHeqt000448 for <ietf-smime-bks@above.proper.com>; Wed, 13 Aug 2003 10:17:40 -0700 (PDT) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h7DHHe7x000447 for ietf-smime-bks; Wed, 13 Aug 2003 10:17:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from smtp1.fre.skanova.net (smtp1.fre.skanova.net [195.67.227.94]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h7DHHcqt000431 for <ietf-smime@imc.org>; Wed, 13 Aug 2003 10:17:39 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: from arport (t8o913p20.telia.com [213.64.26.140]) by smtp1.fre.skanova.net (8.12.9/8.12.9) with SMTP id h7DHHJqJ014039; Wed, 13 Aug 2003 19:17:20 +0200 (CEST)
Message-ID: <006901c361be$9f4ba080$0500a8c0@arport>
From: Anders Rundgren <anders.rundgren@telia.com>
To: Blake Ramsdell <blake@brutesquadlabs.com>, Simon Josefsson <jas@extundo.com>
Cc: ietf-smime@imc.org, "'Sean P. Turner'" <turners@ieca.com>
References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAgKsEuzBx/UKJjkGlJhOARAEAAAAA@brutesquadlabs.com> <iluisp2nhbz.fsf@latte.josefsson.org>
Subject: Re: PKI and S/MIME
Date: Wed, 13 Aug 2003 19:16:22 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
Simon, I respect your work with DNS for location but is this really universal? How about my anders.rundgren@telia.com cert issued by VeriSign? Would it be appropriate to require ISPs like Telia to maintain a directory pointing to various TTP CAs? Or should ever domain-owner become a CA? Anders ----- Original Message ----- From: "Simon Josefsson" <jas@extundo.com> To: "Blake Ramsdell" <blake@brutesquadlabs.com> Cc: <ietf-smime@imc.org>; "'Sean P. Turner'" <turners@ieca.com> Sent: Wednesday, August 13, 2003 09:32 Subject: Re: PKI and S/MIME "Blake Ramsdell" <blake@brutesquadlabs.com> writes: > There have been a number of messages recently about the use of PKI with > S/MIME, and the concerns about that. I like to think that we're all > pretty much in agreement that we've established a consistent, > interoperable practice for the actual syntax and contents of S/MIME > messages, as well as a reasonable cut of a certificate syntax profile > for end-entity certificates. > > Should there be a profile for certificate usage (certificate repository, > distribution and revocation checking) that is specific for our problem > domain? That is, select relevant other work and profile it for use in > the S/MIME interpersonal messaging domain? I would imagine that this > would be a new draft, start with a summary of the requirements, and > progress to profiles of relevant standards. > > It's also not clear if this is something to discuss in this working > group, or somewhere else. > > Comments? Since in practice, addressing this problem would help in getting "opportunistic S/MIME" to work, I believe it would be useful to address it. ("Opportunistic S/MIME" means to be able to encrypt messages to someone you don't have a prior trust relationship with, simply to provide encryption of data. There is a man in the middle attack, of course, but in practice the result often isn't worse than not using S/MIME.) A strawman at a requirement: * Be able to locate a certificate for a Internet user given only her email address. I should mention that this has been discussed several times before, in various fora, for similar applications (e.g., OpenPGP, IPSEC, SSH), so there is prior work to look at how to design this. To do even more self-promoting, I'd again like to mention the following draft: http://josefsson.org/draft-josefsson-pkix-dns.txt which do discuss it for S/MIME context as well. I don't have an opinion on if this WG is the proper place for it. Regards, Simon
- PKI and S/MIME Blake Ramsdell
- Re: PKI and S/MIME Simon Josefsson
- Re: PKI and S/MIME Anders Rundgren
- RE: PKI and S/MIME Blake Ramsdell
- Re: PKI and S/MIME Simon Josefsson
- Re: PKI and S/MIME Simon Josefsson
- DNS CERT vs. LDAP (was: RE: PKI and S/MIME) Blake Ramsdell
- RE: PKI and S/MIME Hallam-Baker, Phillip
- Re: PKI and S/MIME Steve Hole
- RE: PKI and S/MIME Steve Hole
- Re: PKI and S/MIME Steve Hole
- RE: PKI and S/MIME Steve Hole
- RE: PKI and S/MIME Hallam-Baker, Phillip
- RE: PKI and S/MIME Blake Ramsdell
- Re: PKI and S/MIME Simon Josefsson
- RE: PKI and S/MIME Blake Ramsdell
- Re: PKI and S/MIME Steve Hole
- Re: PKI and S/MIME Simon Josefsson
- Re: PKI and S/MIME Steve Hole
- RE: PKI and S/MIME Blake Ramsdell
- Re: PKI and S/MIME Denis Pinkas
- RE: PKI and S/MIME Hallam-Baker, Phillip
- Re: PKI and S/MIME Denis Pinkas