DOMSEC and S/MIME Gateway Protocol comparison
"William Ottaway" <w.ottaway@eris.dera.gov.uk> Fri, 21 September 2001 14:15 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA26259 for <smime-archive@lists.ietf.org>; Fri, 21 Sep 2001 10:15:26 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8LDfq201196 for ietf-smime-bks; Fri, 21 Sep 2001 06:41:52 -0700 (PDT)
Received: from mail.eris.dera.gov.uk (ns0.eris.dera.gov.uk [128.98.1.1]) by above.proper.com (8.11.6/8.11.3) with SMTP id f8LDfoD01188 for <ietf-smime@imc.org>; Fri, 21 Sep 2001 06:41:50 -0700 (PDT)
Received: (qmail 23990 invoked from network); 21 Sep 2001 13:41:30 -0000
Received: from cray.eris.dera.gov.uk (HELO mailhost.eris.dera.gov.uk) (128.98.2.7) by ens0.eris.dera.gov.uk with SMTP; 21 Sep 2001 13:41:30 -0000
Received: (qmail 32742 invoked from network); 21 Sep 2001 13:41:29 -0000
Received: from wottaway.eris.dera.gov.uk (HELO WOTTAWAY) (128.98.10.192) by mailhost.eris.dera.gov.uk with SMTP; 21 Sep 2001 13:41:29 -0000
From: William Ottaway <w.ottaway@eris.dera.gov.uk>
To: ietf-smime@imc.org
Cc: blaker@tumbleweed.com
Subject: DOMSEC and S/MIME Gateway Protocol comparison
Date: Fri, 21 Sep 2001 14:41:59 +0100
Message-ID: <NABBJNEAKNOGJBHIOCBHGECKEBAA.w.ottaway@eris.dera.gov.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Importance: Normal
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
At the S/MIME WG meeting in London I was tasked to provide a comparison between DOMSEC and the S/MIME Gateway Protocol (draft-ramsdell-enc-smime-gateway-00.txt) in order to start a discussion on whether the gateway draft should be progressed and if so how would it relate to DOMSEC. DOMSEC Summary: - 1) Encryption/Decryption and signing. 2) Defines naming conventions. 3) Defines signature types. 4) Defines membership of a domain. 5) Defines rules for domain signature generation and verification. 6) States how domain encryption/decryption is achieved. 7) Defines domain signature application rules when sending to mail list agents. Gateway Summary: - 1) Encryption/Decryption only. 2) Uses same notation of domain "membership" as DOMSEC. 3) Introduces its own naming convention for the encrypting entities domain certificate, smg_encryptor@domain. DOMSEC defines domain-confidentiality-authority@domain. 4) Introduces a mechanism for identifying multiple domains handled by the gateway. They can be listed in a single certificate or in multiple certificates. 5) Introduces a rule for deciding which recipient domain certificate must be used. 6) Introduces a rule on how the gateway recognises that a message requires encryption (encrypt if have a certificate for the recipients domain). 7) Introduces a rule on when the gateway should decrypt a message (when the gateways public key has been used to encrypt) My view: - DOMSEC defines mechanisms for domain signing and encrypting with out specifying mechanisms or rules that are deemed local to the installation. It is hoped that domain signing and encryption implementations will be compliant with DOMSEC. It is expected that individual installations will provide extra local mechanisms and rules in support of DOMSEC, for example how to decide on which certificate to use, how to decide on whether encryption is required, how certificates are retrieved, whether a domain signature is stripped off before forwarding to the local recipient, whether encryption between the domain boundary and the local recipient is required, etc. The Gateway draft defines mechanisms that are already defined in DOMSEC, such as encryption and naming notation. It also defines mechanisms that may differ between implementations, such as domains that are handled by the gateway may be listed in a single or multiple certificate and rules on which recipient certificate to use when encrypting. I propose that the Gateway draft should be a profile of DOMSEC. Therefore, it should support encryption/decryption as specified in DOMSEC and the DOMSEC naming convention. The Gateway draft would contain those features local to this implementation such as points 4 - 7 in the gateway summary. Bill ____________________________________________________ William Ottaway BSc Hons CEng MBCS, Woodward B009, QinetiQ Tel: +44 (0) 1684 894079 Malvern Technology Centre, Fax: +44 (0) 1684 896660 St. Andrews Road, email: wjottaway@QinetiQ.com Malvern, Worcs, WR14 3PS All opinions are my own.
- DOMSEC and S/MIME Gateway Protocol comparison William Ottaway
- RE: DOMSEC and S/MIME Gateway Protocol comparison Blake Ramsdell
- RE: DOMSEC and S/MIME Gateway Protocol comparison William Ottaway
- RE: DOMSEC and S/MIME Gateway Protocol comparison Housley, Russ