On 9 Jul 2016, at 11:24, John Levine wrote:
Any other issues should be brought forward
Also, I see that there's a disclaimer about the semantics of
the certificates, but I'm still confused.
At this point, all S/MIME certificates are signed by a CA, and MUAs
typically put ugly red marks on message with a cert with an unknown
CA.
I gather the idea here is that the certs can be self-signed, and
they're credible in the absence of a CA signature because the domain
is asserting something about them via DNSSEC publication. But it
never says that, or anything like that.
I have not done a recent survey of MUAs with S/MIME support and
self-signed PKIX certs, but when I did an informal survey in the past,
most of them supported a similar interface to the browsers at the time
with a layer of "are you really sure you want to do that" followed by
"OK, you did that" and it worked. We have no idea how they will change
with the introduction of DANE with SMIMEA records, but I would hope it
would be even easier. If it turns out that none of the MUAs want that,
that will be a really good indication of how this experiment is faring.
(Ditto for the parallel features in OpenPGP with the new OPENPGPKEY
record.)
--Paul Hoffman
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
