Re: dissemination of public encryption certificates

[Simon Josefsson <jas@extundo.com>]

Julien, Alberto,

There is a DNS RR for X.509 certificates (and CRLs), see RFC 2538.

Unfortunately it doesn't include useful RR owner name guidelines to
make it work in practice.  I have made some clarifications for this in

http://josefsson.org/draft-josefsson-pkix-dns.txt

which also includes recommended owner names for S/MIME certificates.

The document has expired on the IETF servers, but if there is interest
in picking up this, let me know.

(The idea has been implemented in experimental environments.  Similar
solutions for OpenPGP are freely available.  I did my master's thesis
on distributing certificate via DNS, to allow for "opportunistic email
encryption".)

Regards,
Simon

"Alberto Cozer" <acozer@fti.com.br> writes:

> Julien,
>
> I have seen this idea in the past, but so far no RFC nor any agency 
> officialy documented it. We should have an hierarchical structure for 
> public directories, similar to the DNS hierarchy. Maybe the DNS hierarchy 
> itself could be used for that. We could have a new DNS record type (DRY, 
> from Directory, for instance). Then, as mail servers and clients consult 
> MX record to deliver a message they could check for the DRY record to 
> deliver S/MIME messages. Without this DRY record set in the DNS zone file, 
> must be possible to deliver a signed message but impossible to deliver an 
> encrypted one. 
>
> In my oppinion it is really hard to solve the public keys problem without 
> changing the way people send e-mails. With minor changes in the DNS and 
> E-MAIL RFC's would be possible to have people sending and receiving 
> encrypted mail transparently in a couple of years. 
>
> Best regards,
>
> Alberto Cozer
> Security Outsource Director, Future Technologies Digital Security
> IBM Certified AIX System Specialist
> Checkpoint Certified Security Expert, CCSE NG
> acozer@fti.com.br
> http://www.fti.com.br
> Tel / Fax: 55 (21) 2522-5362
>
>
>
>
>
>
> jpierre@netscape.com (Julien Pierre)
> Sent by: owner-ietf-smime@mail.imc.org
> 08/08/2003 23:07
>  
>         To:     ietf-smime@imc.org
>         cc: 
>         Subject:        dissemination of public encryption certificates
>
>
> Hi,
>
> Since this is my first posting to this mailing list, let me introduce 
> myself :
>
> I'm a software engineer in AOL / Netscape and one of my responsibilities 
> for several years has been to maintain the open source Netscape Security 
> Services (NSS) library, which is used in the Mozilla browsers, many 
> Netscape and Sun servers, and other internal products. The NSS library 
> contains an implementation of S/MIME v3.
>
> I was wondering what thoughts you may have on the following problem :
>
> If I have a keypair and e-mail certificate, and I want to send encrypted 
> e-mail to somebody knowing his e-mail address, what's a systematic way 
> to obtain the recipient's encryption certificate ?
>
> Traditionally today, signed e-mail messages typically contain the 
> signer's public encryption certificate. However that means one party 
> needs to first send a signed unencrypted, e-mail message to transmit the 
> public encryption certificate before both parties can exchange encrypted 
> messages.
>
> There are also ways to find recipient certificates today using corporate 
> directory servers, but users must know about them and manually configure 
> them in their applications, and they are typically not widely available 
> on the Internet.
>
> I'm envisioning some standardized scheme where, by starting with the 
> recipient's email address, it would be possible to locate a public 
> directory server, then find the recipient's certificate by looking it up 
> in that directory server.
>
> My main question is : has any similar scheme been proposed ? I would 
> rather work with something that exists, but if there is nothing that 
> fits, I'm open to writing an RFC.
>
> Also, what are the other ways that people locate recipient S/MIME e-mail 
> encryption certificates ?
>
> Thanks.