On 9/11/12 8:04 PM, "Jim Schaad" <[email protected]> wrote: ><snip> >2. In order to deal with issues that are present for S/MIME and not for >TLS, I believe that a new conjunction items is required to be added to the >Certificate Usage field that says a) this is the EE certificate to be used >and b) this is the trust anchor to be used.
Why the trust anchor? It's far more common (in my experience) to have to install a trust anchor to exchange email with someone than to interact with a web server. It's also common for the trust anchor considered by the sender to vary from the trust anchor used by the verifier. A CA constraint should work well here. >3. If the certificate lookup problem is to be solved, then it needs to be >made clear that the full certificate selector is going to be the common >one >for the EE certificate of an S/MIME recipient for encryption, but it may >not >be for an S/MIME sender that is signing. Certificate lookup for encryption seems like something that might be better solved using a certificate transparency log. <snip> _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
