On Fri, Dec 12, 2014 at 01:36:56AM +0000, Viktor Dukhovni wrote: > On Thu, Dec 11, 2014 at 05:22:03PM -0800, Ian Fette (????????) wrote: > > Sorry, just reading the SMIMEA stuff for the first time, so apologies for > > the basic question, but do I really have to publish a record for each > > address? How would I say "this is a trusted intermediate CA for *@gmail.com > > "? > > That would look like so: > > ;; insert CNAMEs for any desired indirection when > ;; the same set of SMIMEA RRs handles multiple domains > ;; > *._smimecert.gmail.com IN SMIMEA 2 0 1 <blob> > > Keep in mind that this only supports signature verification, not > encryption, one can't encrypt to an intermediate CA, one needs the > leaf public key for that. So enabling encryption on first contact > requires publishing per-user keys by some means.
There's always IBE, or just plain encrypting to the MTA's encryption cert and then let it decrypt and re-encrypt to the local-part's encryption key. > Otherwise all one gets is authenticated key exchange, possibly > followed later by encryption once leaf keys have been exchanged in > both directions. That's not so bad. It's interactive, but so what. Nico -- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
