RE: DOMSEC and S/MIME Gateway Protocol comparison
"Blake Ramsdell" <blaker@tumbleweed.com> Thu, 04 October 2001 20:30 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA24476 for <smime-archive@odin.ietf.org>; Thu, 4 Oct 2001 16:30:48 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f94Jxi011479 for ietf-smime-bks; Thu, 4 Oct 2001 12:59:44 -0700 (PDT)
Received: from hawaii.deming.com (hawaii.deming.com [208.236.41.139]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f94JxiD11475 for <ietf-smime@imc.org>; Thu, 4 Oct 2001 12:59:44 -0700 (PDT)
Received: from 208.236.41.137 by hawaii.deming.com with ESMTP ( Tumbleweed MMS SMTP Relay (MMS v5.0)); Thu, 04 Oct 2001 12:59:39 -0700
X-Server-Uuid: F4BC6258-86A5-40F3-9714-0CF63E081F09
Received: by cane.deming.com with Internet Mail Service (5.5.2650.21) id <R9KF6T3L>; Thu, 4 Oct 2001 12:59:39 -0700
Message-ID: <01FF24001403D011AD7B00A024BC53C5BD16E7@cane.deming.com>
From: Blake Ramsdell <blaker@tumbleweed.com>
To: 'William Ottaway' <w.ottaway@eris.dera.gov.uk>, ietf-smime@imc.org
Subject: RE: DOMSEC and S/MIME Gateway Protocol comparison
Date: Thu, 04 Oct 2001 12:59:38 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
X-WSS-ID: 17A260215861-01-01
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
Bill, thanks very much for doing this summary. One thing that we were initially concerned about was that there was a requirement for triple-wrapping and/or an empty signature layer (SignedData with no SignerInfos). If this requirement is gone, then I believe we can simply make our document an "encrypting-only" profile for DOMSEC. I propose that our current document continue to live, but with the following changes: 1. Refer to DOMSEC in the relevant places in our draft 2. Remove the language about the email address in the certificate, and refer to DOMSEC for this 3. Clarify that the additions that we have specified for handling subdomains, etc. are in addition to DOMSEC (and thus the meat of this profile) The only impact for any existing implementations of our specification would therefore be the recognition of the DOMSEC-specified email address (domain-confidentiality-authority) as opposed to the smg_encryptor email address that we originally specified in our draft. Blake -----Original Message----- From: William Ottaway [mailto:w.ottaway@eris.dera.gov.uk] Sent: Friday, September 21, 2001 6:42 AM To: ietf-smime@imc.org Cc: Blake Ramsdell Subject: DOMSEC and S/MIME Gateway Protocol comparison At the S/MIME WG meeting in London I was tasked to provide a comparison between DOMSEC and the S/MIME Gateway Protocol (draft-ramsdell-enc-smime-gateway-00.txt) in order to start a discussion on whether the gateway draft should be progressed and if so how would it relate to DOMSEC. DOMSEC Summary: - 1) Encryption/Decryption and signing. 2) Defines naming conventions. 3) Defines signature types. 4) Defines membership of a domain. 5) Defines rules for domain signature generation and verification. 6) States how domain encryption/decryption is achieved. 7) Defines domain signature application rules when sending to mail list agents. Gateway Summary: - 1) Encryption/Decryption only. 2) Uses same notation of domain "membership" as DOMSEC. 3) Introduces its own naming convention for the encrypting entities domain certificate, smg_encryptor@domain. DOMSEC defines domain-confidentiality-authority@domain. 4) Introduces a mechanism for identifying multiple domains handled by the gateway. They can be listed in a single certificate or in multiple certificates. 5) Introduces a rule for deciding which recipient domain certificate must be used. 6) Introduces a rule on how the gateway recognises that a message requires encryption (encrypt if have a certificate for the recipients domain). 7) Introduces a rule on when the gateway should decrypt a message (when the gateways public key has been used to encrypt) My view: - DOMSEC defines mechanisms for domain signing and encrypting with out specifying mechanisms or rules that are deemed local to the installation. It is hoped that domain signing and encryption implementations will be compliant with DOMSEC. It is expected that individual installations will provide extra local mechanisms and rules in support of DOMSEC, for example how to decide on which certificate to use, how to decide on whether encryption is required, how certificates are retrieved, whether a domain signature is stripped off before forwarding to the local recipient, whether encryption between the domain boundary and the local recipient is required, etc. The Gateway draft defines mechanisms that are already defined in DOMSEC, such as encryption and naming notation. It also defines mechanisms that may differ between implementations, such as domains that are handled by the gateway may be listed in a single or multiple certificate and rules on which recipient certificate to use when encrypting. I propose that the Gateway draft should be a profile of DOMSEC. Therefore, it should support encryption/decryption as specified in DOMSEC and the DOMSEC naming convention. The Gateway draft would contain those features local to this implementation such as points 4 - 7 in the gateway summary. Bill ____________________________________________________ William Ottaway BSc Hons CEng MBCS, Woodward B009, QinetiQ Tel: +44 (0) 1684 894079 Malvern Technology Centre, Fax: +44 (0) 1684 896660 St. Andrews Road, email: wjottaway@QinetiQ.com Malvern, Worcs, WR14 3PS All opinions are my own.
- DOMSEC and S/MIME Gateway Protocol comparison William Ottaway
- RE: DOMSEC and S/MIME Gateway Protocol comparison Blake Ramsdell
- RE: DOMSEC and S/MIME Gateway Protocol comparison William Ottaway
- RE: DOMSEC and S/MIME Gateway Protocol comparison Housley, Russ