Re: Goal for S/MIME 2007?

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

"If we can persuade the people deploying DKIM at the client"

Putting DKIM in the client is IMHO not the right medicine.  Any scheme that
requires locally stored keys essentially suffer from the same basic problem;
that we [still] have no [reasonable] mechanism for carrying such keys.

"dependable transactional signatures"

Transactions are typically performed by transaction systems.  Due to this, I
cannot really see that S/MIME will play an important role in a future IT
landscape.

"I don't want to make S/MIME looser"

Neithe do I but  it is enough that a message from john@xxxxxxxxxxx
is really coming from the example.com domain and is encrypted during its
transport to the reveiver domain.  Well, this probably only caters for some
99.9% of all use-cases, but for most people that is "good-enough".  If a
0.1% "market-share" will keep S/MIME alive and kicking is yet to see.
I would not bet on it at least.

Anders R


----- Original Message -----
From: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>
To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>; <ietf-smime@xxxxxxx>
Sent: Friday, January 26, 2007 03:52
Subject: RE: Goal for S/MIME 2007?


I think that in order to address that particular market we would have to spend a lot of time re-engineering S/MIME to be less
strict.

I don't want to make S/MIME looser. I want to work out a way to get people signing and encrypting their email. I don't particularly
care what technology they use to do that.

S/MIME implementations lack a small amount of glue to make them more usable. If we can persuade the people deploying DKIM at the
client end to add those small necessary pieces of glue to make the user experience seamless we end up with the best of both worlds,
ubiquitous lightweight signatures, dependable transactional signatures and message encryption.



> -----Original Message-----
> From: owner-ietf-smime@xxxxxxxxxxxx
> [mailto:owner-ietf-smime@xxxxxxxxxxxx] On Behalf Of Anders Rundgren
> Sent: Thursday, January 25, 2007 4:31 PM
> To: ietf-smime@xxxxxxx
> Subject: Re: Goal for S/MIME 2007?
>
>
> In theory S/MIME could be one "cure" against spam, viruses
> and phishing.
>
> There are at least two things making this stay as "theory".
>
> 1.
> There is no S/MIME trust structure that works except rather
> locally, effectively making every person on the net a "PKI
> trust administrator".
> Although the DoD have a solution (
> http://www.certipath.com/services.htm ), few other
> organizations can spend huge amounts of tax-payer money just
> to prove that "it can be done", but are rather evaluating
> other options.
>
> 2.
> The unavailability of a cheap, mobile, secure and fully
> standardized container makes the certificate requirement a
> much too high bar.  That not even the financial sector have
> managed to deploy such schemes to more than 1-2% in spite of
> 10+ years of on-line banking is in my opinion good enough as
> a proof.  The virtual explosion of Web-mail and mobile phone
> mail, actually makes the S/MIME-card-everywhere-vision more
> distant than ever.  Well, the DoD have no problems [of
> course],
> http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_det
ail-83.html
> but who else would buy $200+ card-readers?
>
>
> It might be interesting knowing that some governments have indeed
> removed S/MIME from their C2G (Citizen-to-Government) PKI
> schemes since they have noted that the web is a more powerful way
> of delivering services as well as offering encryption for free.
>
> Regarding the failed DOMSEC experimental RFC, I believe that it
> [partly] failed because the authors did not realize that
> there already was
> a globally working PKI they should have hooked into; the web-server
> SSL PKI.  Imagine, securing an entire e-mail domain for a measly $100-
> $200 annually!  Too simple, too obvious, and too commercial I guess.
>
> AR
>
>