Anders Rundgren wrote:
I want each organization/domain entity that can afford an SSL certificate to
become a virtual CA and run their own secure messaging center.  Based on
the SSL certificate they can use whatever issuance policies they feel 
comfortable
with as long as they keep inside of their "PKI sandbox" which is (by the not
yet defined application), constrained regarding subject naming-schemes.

This is BTW, how I believe secure e-mail should have been from the beginning;
secured at the domain-level.

Anders, that's not the real problem with S/MIME or PGP. Encrypting/signing is simply not a business requirement.

One of my customers has a special CA for issuing S/MIME certs to its own internal end users. The end users are always surprised how easy they can get a S/MIME cert within a minute. But the external partners are not obliged to encrypt e-mail and they are not willing to do the necessary work on their side. I already tried this 10 years ago with a PKI which would have issued certs to external partners. They were not willing to do their part even if made fairly simple.

=> Encrypting/signing must be made a business requirement in contracts. That's the whole point. And there's no technical solution for it.

Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to