On Wednesday, May 16, 2018 at 2:16:14 AM UTC-4, Tim Hollebeek wrote: > This is the point I most strongly agree with. > > I do not think it's at odds with the LAMPS charter for 6844-bis, because I do > not think it's at odds with 6844.
Updating 6844 is easy. Just define the tag and specify scope for issue / issuewild / issueclient sensibly. But that is only half the job really. If we want to get S/MIME widely used, we have to do ACME for client certs and integrate it into the MUAs. Not difficult but something needing to be done. More difficult is working out what an S/MIME CA does, where organizational validation etc. adds value and how this relates to the OpenPGP way of doing things. It occurred to me last night that the difference between S/MIME and OpenPGP trust is that one if by reference and the other is by value. S/MIME is certainly the solution for Paypal like situations because the trust relationship is (usually) with Paypal, not the individual I am talking to. Key fingerprints have the advantage of binding to the person which may be an advantage for non organizational situations. These are not disjoint sets of course and there is no reason to switch mail encryption technologies depending on the context in which we are communicating. I would rather add certificate capabilities to OpenPGP-as-deployed and/or S/MIME-as-deployed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
