Anders Rundgren wrote:
I want each organization/domain entity that can afford an SSL certificate to
become a virtual CA and run their own secure messaging center. Based on
the SSL certificate they can use whatever issuance policies they feel
comfortable
with as long as they keep inside of their "PKI sandbox" which is (by the not
yet defined application), constrained regarding subject naming-schemes.
This is BTW, how I believe secure e-mail should have been from the beginning;
secured at the domain-level.
Anders, that's not the real problem with S/MIME or PGP.
Encrypting/signing is simply not a business requirement.
One of my customers has a special CA for issuing S/MIME certs to its own
internal end users. The end users are always surprised how easy they can
get a S/MIME cert within a minute. But the external partners are not
obliged to encrypt e-mail and they are not willing to do the necessary
work on their side. I already tried this 10 years ago with a PKI which
would have issued certs to external partners. They were not willing to
do their part even if made fairly simple.
=> Encrypting/signing must be made a business requirement in contracts.
That's the whole point. And there's no technical solution for it.
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto