Previously on this list I wrote this to a poster: On Nov 17, 2016, at 9:11 AM, Garfinkel, Simson L. (Fed) <[email protected]<mailto:[email protected]>> wrote:
It’s clear that distributing public key certificates is a fundamental problem with the PKI concept. How would solve it such that individuals could obtain certificates for people with whom they have had no previous contact? To summarize the answer I received, there was concern that some email users might be using a legacy email account, not trust their mail provider, and want the assurance of a end-to-end encryption that is asserted by a trustworthy CA. I’ve thought about this response over the weekend and do not find it credible. This answer presupposes a CA system that is not the one that we have. Most CA S/MIME providers authenticate users based on their ability to receive email at a given address. So a hostile email provider intent on intercepting encrypted email could easily spoof even a trusted CA provider into issuing a bogus certificate. I am also concerned about the broad number of CAs that are trusted under the current model. DANE allows the scoping of CA trust. It allows an email provider to say “we only trust this specific CA to issue a certificate, because that’s the CA that we use in our organization.” With a CA-based system that does not use DANE, there is no mechanism for individuals to signal to people with whom they have had no previous contact that a specific CA is in use and another CA is not to be trusted. Given this, I support publication as an experimental RFC. We continue to pursue and support R&D efforts to develop SMIME-based approaches to enterprise email security. Having a stable reference will benefit those efforts. Simson Garfinkel =================== Simson Garfinkel Information Access Division National Institute of Standards and Technology [email protected]<mailto:[email protected]> 202-649-0029 On Nov 21, 2016, at 2:08 AM, tjw ietf <[email protected]<mailto:[email protected]>> wrote: I've read this document and I support publication. I'm more inclined to publish as Experimental, but I'm not beholden to the correct flavor. tim On Thu, Nov 17, 2016 at 7:33 PM, Jim Reid <[email protected]<mailto:[email protected]>> wrote: > On 17 Nov 2016, at 09:19, Paul Wouters > <[email protected]<mailto:[email protected]>> wrote: > > I am in favour of publishing this document as an Experimental RFC. I support publication of this document too: don't care which flavour of RFC is chosen for it. _______________________________________________ dane mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/dane
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
