John, Thanks for your comment. It’s an important concern that you have raised.
In your scenario below, you write “if I publish a S/MIME certificate…” Can you tell me how you would publish that S/MIME certificate, how people would find it, and why it would be believed? The document essentially delegates the creation of S/MIME certs to the domain holders. If your domain holder is the kind of domain holder that would engage in an easy-detectable MITM attack such as you describe below, then why are you using them as your email provider? I’m sure I’m missing something here… It’s clear that distributing public key certificates is a fundamental problem with the PKI concept. How would solve it such that individuals could obtain certificates for people with whom they have had no previous contact? Regards, Simson > On Nov 9, 2016, at 11:07 AM, John Levine <jo...@taugh.com> wrote: > >> If you use gmail.com, you are at the mercy of google - whether encrypted >> or not. those users have already given control away to google. This >> document is not the right place to warn them about that. > > As it stands now, your first sentence is just wrong. Currently, if I > publish a S/MIME certificate for my gmail address, and people encrypt > mail using it, Google can't read my mail. They can throw it away of > course, but if it shows up in my mailbox, only I can read it. In the > other direction, only I can sign mail with my cert, and Google can't > pretend to be me in an S/MIME context. This assumes that CAs that > sign S/MIME certs are competent enough to check that it's me asking > them to sign, which I realize is kind of optimistic, but what I've > laid out is the way that S/MIME is supposed to work. > > This document flips that situation around so now gmail can publish > MITM certs for all its users whether they like it or not. That is a > big change. > > R's, > John > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane
