Re: PKI and S/MIME

Simon Josefsson <jas@extundo.com> Thu, 14 August 2003 22:55 UTC

To: Steve Hole <steve.hole@messagingdirect.com>
Cc: Blake Ramsdell <blake@brutesquadlabs.com>, ietf-smime@imc.org
Subject: Re: PKI and S/MIME
References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARMPfbnbp50SwK3EZjypY2MKAAAAQAAAAQVKABfNPsUqsKQWmJVuOUAEAAAAA@brutesquadlabs.com> <006901c361be$9f4ba080$0500a8c0@arport> <EXECMAIL.20030814104202.G@kepler.messagingdirect.com>
From: Simon Josefsson <jas@extundo.com>
Date: Fri, 15 Aug 2003 00:28:48 +0200
In-Reply-To: <EXECMAIL.20030814104202.G@kepler.messagingdirect.com> (Steve Hole's message of "Thu, 14 Aug 2003 10:42:02 -0700")
Message-ID: <ilu4r0j27rz.fsf@latte.josefsson.org>
User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk

Steve Hole <steve.hole@messagingdirect.com> writes:

> On Wed, 13 Aug 2003 15:05:49 -0700 Blake Ramsdell 
> <blake@brutesquadlabs.com> wrote:
>
>> A better question for the DNS distribution of certificates is whether or
>> not this smells like it would be the most likely thing to get deployed.
>> My understanding is that you would need DNS servers that supported the
>> particular record types required for this functionality, as well as
>> administrative tools to upgrade those records that are different than
>> typical DNS administration tools.  To me, that doesn't smell as good.
>
> Actually, I think that there are two barriers:
>
> 1. Deployment of DNS-SEC. People have to go out of their way to do it 
> right now.   It takes some work both to deploy the right software and to 
> get the relationship set up with the domain registration service.   Not 
> all services offer it.

Note that distributing certificate DNS does not depend on DNSSEC.
Thus the argument that DNSSEC may or may not be deployable is not
relevant to distributing certificate via DNS.

However, should DNSSEC (or some close approximation to it) happen, it
would make certificates distributed via DNS become integrity protected
and authenticated via the DNSSEC trust chain.  LDAP or XKMS using SRV
records does not get the same benefit. 

> 2. Client support.   Basically this means that Outlook, Outlook Express, 
> Netscape (and down the list) of clients have to support it.   It means a 
> CSP for the Windows twins and a module in the new Netscape/Mozilla 
> security API.

Since mail clients cannot find certificates for arbitrary users today,
I believe clients must be modified regardless of the solution chosen.

Even here there is an advantage for DNS: mail clients already
implement DNS.  There is no need to open ports in firewalls etc for
LDAP or XKMS.  There is no need to implement new client code in the
mail client.  Instead modify the existing code to query for a CERT
record where it now queries for MX and A records.  Yes, I know this
doesn't apply in all situations, such as corporate mode Outlook and
Exchange, which doesn't use Internet protocols to send and receive
mail.  But we are here to find a solution for applications that uses
IETF standards, not Microsoft implementations, aren't we?

Regards,
Simon

PKI and S/MIME Blake Ramsdell
Re: PKI and S/MIME Simon Josefsson
Re: PKI and S/MIME Anders Rundgren
RE: PKI and S/MIME Blake Ramsdell
Re: PKI and S/MIME Simon Josefsson
Re: PKI and S/MIME Simon Josefsson
DNS CERT vs. LDAP (was: RE: PKI and S/MIME) Blake Ramsdell
RE: PKI and S/MIME Hallam-Baker, Phillip
Re: PKI and S/MIME Steve Hole
RE: PKI and S/MIME Steve Hole
Re: PKI and S/MIME Steve Hole
RE: PKI and S/MIME Steve Hole
RE: PKI and S/MIME Hallam-Baker, Phillip
RE: PKI and S/MIME Blake Ramsdell
Re: PKI and S/MIME Simon Josefsson
RE: PKI and S/MIME Blake Ramsdell
Re: PKI and S/MIME Steve Hole
Re: PKI and S/MIME Simon Josefsson
Re: PKI and S/MIME Steve Hole
RE: PKI and S/MIME Blake Ramsdell
Re: PKI and S/MIME Denis Pinkas
RE: PKI and S/MIME Hallam-Baker, Phillip
Re: PKI and S/MIME Denis Pinkas