On Sat, Dec 13, 2014 at 06:17:24PM -0000, John Levine wrote:
> * verify an incoming signature without reference to a CA
> * encrypt mail to people who haven't already sent you a key
>
> Of the two, the second seems much more important. If it's only the
> first, I don't think it's worth the effort.
[ I understand and in part agree with your point, but I think
even the first alone is not as vacuous as it might seem. ]
Well I don't see to many organizations outsourcing user enrollment
to a CA, or wanting to operate an RA, so the CA-trust thing is not
so much the issue as the problem of getting CA signatures for the
user certificates, having to handle revocation via a CA, ...
What DANE can do is make it possible to just use your enterprise
CA. For example, the Microsoft CA is very difficult to use for a
Windows shop, with DANE this can be extend to issuing certificates
that others can validate.
And I am not sure that first contact end-to-end encryption in which
only the final recipient gets to read the mail will be terribly
popular in a world of spam and email malware. In many ways,
signature-only with key exchange on reply has security advantages
that may make it a popular mode of deployment.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
