[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Goal for S/MIME 2007?

To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>, <ietf-smime@xxxxxxx>
Subject: RE: Goal for S/MIME 2007?
From: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>
Date: Thu, 25 Jan 2007 18:52:09 -0800
List-archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-id: <ietf-smime.imc.org>
List-unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Sender: owner-ietf-smime@xxxxxxxxxxxx
Thread-index: AcdAzsmwJfur8I44T36xgr5XaCaoVgAJT6MA
Thread-topic: Goal for S/MIME 2007?

I think that in order to address that particular market we would have to spend a lot of time re-engineering S/MIME to be less strict. 

I don't want to make S/MIME looser. I want to work out a way to get people signing and encrypting their email. I don't particularly care what technology they use to do that.

S/MIME implementations lack a small amount of glue to make them more usable. If we can persuade the people deploying DKIM at the client end to add those small necessary pieces of glue to make the user experience seamless we end up with the best of both worlds, ubiquitous lightweight signatures, dependable transactional signatures and message encryption.



> -----Original Message-----
> From: owner-ietf-smime@xxxxxxxxxxxx 
> [mailto:owner-ietf-smime@xxxxxxxxxxxx] On Behalf Of Anders Rundgren
> Sent: Thursday, January 25, 2007 4:31 PM
> To: ietf-smime@xxxxxxx
> Subject: Re: Goal for S/MIME 2007?
> 
> 
> In theory S/MIME could be one "cure" against spam, viruses 
> and phishing.
> 
> There are at least two things making this stay as "theory".
> 
> 1.
> There is no S/MIME trust structure that works except rather 
> locally, effectively making every person on the net a "PKI 
> trust administrator".
> Although the DoD have a solution ( 
> http://www.certipath.com/services.htm ), few other 
> organizations can spend huge amounts of tax-payer money just 
> to prove that "it can be done", but are rather evaluating 
> other options.
> 
> 2.
> The unavailability of a cheap, mobile, secure and fully 
> standardized container makes the certificate requirement a 
> much too high bar.  That not even the financial sector have 
> managed to deploy such schemes to more than 1-2% in spite of 
> 10+ years of on-line banking is in my opinion good enough as 
> a proof.  The virtual explosion of Web-mail and mobile phone 
> mail, actually makes the S/MIME-card-everywhere-vision more 
> distant than ever.  Well, the DoD have no problems [of 
> course], 
> http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_det
ail-83.html
> but who else would buy $200+ card-readers?
> 
> 
> It might be interesting knowing that some governments have indeed
> removed S/MIME from their C2G (Citizen-to-Government) PKI
> schemes since they have noted that the web is a more powerful way
> of delivering services as well as offering encryption for free.
> 
> Regarding the failed DOMSEC experimental RFC, I believe that it
> [partly] failed because the authors did not realize that 
> there already was
> a globally working PKI they should have hooked into; the web-server
> SSL PKI.  Imagine, securing an entire e-mail domain for a measly $100-
> $200 annually!  Too simple, too obvious, and too commercial I guess.
> 
> AR
> 
>

Follow-Ups:
- Re: Goal for S/MIME 2007?
  - From: Anders Rundgren

Prev by Date: Re: Goal for S/MIME 2007?
Next by Date: WG LAST CALL: draft-ietf-smime-ibearch-02.txt
Previous by thread: Re: Goal for S/MIME 2007?
Next by thread: Re: Goal for S/MIME 2007?
Index(es):
- Date
- Thread