Hi, Simson. >To summarize the answer I received, there was concern that some email users >might be using a legacy email account, not trust >their mail provider, and want the assurance of a end-to-end encryption that is >asserted by a trustworthy CA.
That's not really what I said. If you're going to quote me, please quote me. >I’ve thought about this response over the weekend and do not find it credible. >This answer presupposes a CA system that is >not the one that we have. Most CA S/MIME providers authenticate users based on >their ability to receive email at a given >address. So a hostile email provider intent on intercepting encrypted email >could easily spoof even a trusted CA provider >into issuing a bogus certificate. I certainly wouldn't disagree that the current public CA system is screwed up. On the other hand, there are non-public or semi-public CAs that seem to work OK, like the DOD's. This is throwing out the baby with the bathwater. But in any event, to return to my original objection, it seems quite clear that the assumption in this document is that domains are authorities for the identities of their users. It should say that in so many words rather than dancing around it. R's, John _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
