Hi Metin, Comments below:
> On Sep 9, 2022, at 9:41 AM, Metin Savignano <m...@savignano.net> wrote: > > Hi, > > We’re a team working on an email encryption app. I am always a looking for > better ways to simplify the use of S/MIME, because I believe that the current > PKI is the main reason for people not to use S/MIME. > > Hence, I’m currently working through RFC 8162 which looked very promising to > me. However, while doing so, I stumble upon the fact that it seems to require > an SMIME record for each email address – or more precise: for each possible > local part of the email address. That does not make lot of sense to me, but I > would expect that you have your reasons, which I just don’t understand. > > Let me explain what I’m trying to achieve: > > There are numerous companies (including my own little team) that establish > there own CA. I’m looking for a way to publish to the root certificate of > such a CA in a way that it can automatically be retrieved and trusted by a > remote mail client. It seemed like this could be with DANE using the SMIMEA > record. I would expect that I can publish an SMIMEA record with certificate > usage 0 (PKIX-TA) that would be retrieved and used to validate the PKIX path. > > Well, as I understand the RFC, that could be done, but I would have to repeat > it for each and every possible local part of the email address. However, I > would rather want to publish just one record for the domain part, no matter > which local part is used in the email address. > > So my question is: > > Did you think of this scenario? Why is this option not described in the RFC? > Am I missing something? I think it’s great that you’re looking this! To answer your specific question, I understand that different people have differing levels of interest in signing vs. encryption (vs. both) for email. I recall a number of us had discussions about how you could place a root certificate at a wildcard at the mail domain’s APEX, so querying any lhs under that domain would return an SMIMEA record that could be usage type 0 or 2 (PKIX_TA or DANE_TA). I think that would accomplish your goal of not needed to key every user. So, for use...@example.edu through use...@example.edu , you would hit *.example.edu SMIMEA, which would return the root cert. Does that make sense? Just as some context: we, in my lab, are looking into SMIMEA as well and we’ve launched a pilot of an open provisioning infrastructure for managing per-user complexities, MUA add-ons that use DANE for S/MIME, and an open reference implementation of several DANE protocols (DANEportal.net <http://daneportal.net/> , kurer.daneportal.net <http://kurer.daneportal.net/> , and libCanute, respectively). Our goals seem a little different than yours, but would be happy to see if they can help you out. We presented at the last IEPG, and the students are (I believe) on this list and can respond if you have any other thought! Eric
_______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane
