On Sun, 15 Sep 2013, Yaron Sheffer wrote:
Wouldn't the following be simpler and more natural than both proposals:
- The organization maintains its own CA, maybe just for S/MIME client certs.
- The CA cert is kept as a DNS record, signed by DANE.
- The CA cert is usage-limited, so it can be used for S/MIME only, and only
for addresses at this particular domain. [I suppose this is the hard part. Is
it allowed by X.509?]
I guess that works although that does not solve things for large user
domains like hotmail.com or gmail.com. Ideally, we would find something
that works there too, without giving the DNS owners the power to change
these. Although I have no idea if that can be done. Something DLV or CT
like comes to mind.
Paul
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
