On Thu, 2 Apr 2015, Osterweil, Eric wrote:
Also, the smime key attributes will tell if if they are usable for
signing and/or encrypting. So my preference is to not have another
place to indicate this so we avoid needing to deal with mismatches.
I think this was better described by Doug M before, and you and I spoke about
this at the interim meeting, but to rehash: my certs may be used for any number
of actions (like the USG PIV cards), but I may not want them to be used
arbitrarily for different services (like all manner of email). I may also have
a cert that I want to no longer use for email, but I do _not_ want to revoke
it. I may want to use a cert (whose attributes are very permissive) for just
email signing. I can codify my wishes by not listing it as an encryption key
in DNS.
Well, this is SMIME and it uses PKIX, so the proper way to express any
kind of attributes is via EKU OIDs.
To be honest, I don't expect encrypted messages in the mailbox to
ever be very popular, encrypted storage is just too inconvenient
for most users.
Having run openpgpkey-milter and gotten all of my email encrypted
due to my own forwarder, I strongly agree with that it is completely
inconvenient right now. But it is a problem that we need to solve to
make it convenient. I'm hoping that encrypting more email will mean
more people will work on better MUA integration of it. We really
need to fix this problem.
I’m aware of a lot of enterprise interest in encrypted email at rest.
End-to-end is good for live conversations, but
not so well suited to archived communication.
I personally would like my MUA to store email decrypted, replace the
encrypted email headers inside the body back into real email headers
and rely on full disk encryption. That way, I get the best of both
worlds.
I actually favor the encrypted email for the afore mentioned reasons. At the
very least, it seems fair to consider giving the user the option.
The MUA can implement either. But I can tell you that it is next to
impossible to search through old encrypted emails. I often search
through old email, so I have a clear preference for storing it in
decrypted form accessable to my MUA, all of it protected by whole
disk encryption. But that's all a MUA based local/user policy
decision and we don't have to indicate any of this in DNS.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
