Goal for S/MIME 2007?

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

Still waiting for a response...

 

----- Original Message -----

From: Anders Rundgren

To: ietf-smime@xxxxxxx

Sent: Saturday, December 23, 2006 10:36

Subject: Goal for S/MIME 2007?

Today I concluded that my mail-box with 120 fresh messages constituted of about 110 messages where the sender address is either falsified, or is coming through a hijacked computer.

 

In my opinion S/MIME is the primary culprit for this unbearable situation.

 

That Windows have showed some weaknesses with respect to virus attacks is undoubtedly true, but viruses would also have had a much less impact if we have had a useful e-mail security architecture.  The same goes for phishing, not to mention spam.

 

A do believe that the designers of S/MIME did what they could back in the 90'ties.  However, now when we know better [*], shouldn't these guys who indirectly contribute to an annual waste of BILLIONS of good working hours from the Internet community rather try to create a system that to some extent compensates for the mistakes done in the past?

 

DKIM is a step in the right direction but it does not address confidentiality.  That DKIM was designed to support people who want to run their own mail-servers but cannot afford a domain-certificate is also a bit off since these entities represent at most 0.1% of today's Internet users.

 

Anders Rundgren

 

*]

- Client certificates are [still] uncommon

- Encryption at the desktop by consumers does not work

- Security administrators want central policy handling

- Trusted third-parties is the norm (from your employer to Google)

- You cannot send an encrypted e-mail to the IRS and you probably never will

- e-mail encryption is incompatible with many organizations' internal policies

- Security should be transparent, default, and non-intrusive