The idea is good, but as you point out, protocols such as LDAP already exist to do this.
What's missing is a global (worldwide) directory that's independent of a particular corporation of government. The key problem is that no one entity would have the resources to host such a server. Some distribution is necessary. Your protocol proposal is overly simplistic and does not address this issue, or the missing link of where the database of certs actually comes from ...
These topics have been discussed extensively on IETF pkix and smime mailing lists, but no solution was found. You should look at the archives and look for my name in there. I definitely agree with you that the need exists for a global directory that can map email address to certs. This is a gaping hole in global PKI usage. But not an easy one to solve.
Duane wrote:
I'm currently drawing up a proposal for an independent submission for an Internet Draft and I'm after feed back on this.
My idea is pretty simple, if all you have is an email address of the person you want to email, and they have a public certificate listed in the system, client software should be automatically be able to retrieve the certificate and encrypt email to the person without any intervention from the user. This would be particularly useful for web mail services and 802.1x key handling, as all you need is the email address, not a bunch of certificates.
The currently level and ease of use of cryptography is pretty poor, and perhaps that's understating it somewhat, to address this I started thinking about a whois type service to distribute certificates, and it ended up somewhere a cross between a finger service and a PGP Key Exchange. Basically you connect to a tcp port on a CA service that interacts with a database, you supply an email address or a host name and the system replies with the current valid certificate which can then be used to encrypt data.
For the full draft + example daemon code to achieve this go to:
http://www.cacert.org/index.php?id=26&prob=8
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
