On Fri, Dec 12, 2014 at 03:42:11PM +1100, Mark Andrews wrote: > The other thing we have to do is to arrange for the CERT to get > from the MUA to the keyserver. Extending submission to handle that > is a sensible. That way the user can generate their own CERT. They > can then submit it to the keyserver using submission/smtp after > authenticating themselves. This last step is critical.
Yes: use MSA/MTA as the keyserver, both for lookup and registration. For verification/key lookup results can be attested to via DNSSEC. A client's MSA could check the peer's MTA on behalf of the MUA. I think this solves all problems, including aliasing, except in the case where the sender doesn't trust its own MSA as to the local-parts of peers. Nico -- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
