To make encryption work on the Web we needed a strong business case to persuade millions of merchants to get SSL certificates. If we are going to achieve strong email encryption we should look for similar business cases.
I have just received a note from Chase to tell me that my Amazon credit card bill is due in 10 days. Seems they don't understand that my policy is that I keep the float, not them. I get maybe ten similar notes a month, none of which have the amount of the bill specified. The reason they don't attach the invoice is that email is insecure, there is no confidentiality. But what if they could send the email and be confident is was confidential? Their business costs would go down. So if there was an extended email address of the form <user>@<domain>?<Key-ID> a sender could consult some infrastructure that turns key ids into public keys (and validity statements) and encrypt the message it sends to me. For purposes of sending invoices the spam problem is easily dealt with. An invoice sent by Chase or Amex should have a digital signature endorsed by an EV cert at the very least. It should probably have the logotype extension populated. I am not sure about the separator character, # or ! also seem good. Can't use : or , for obvious reasons, or the braces. Could even have a scheme where we use all three: ? For encryption keys ! For Signature keys # For Dual purpose keys But in the PKI scheme I am thinking would back this, any key that is used in such a fashion would be seen as a long term key used only for endorsement of other keys rather than the encryption key itself so I don't think we need multiple versions. Tending towards ? as it is the 50th anniversary of Dr Who. This would make a memorable URI form: who:[email protected]?TKLBE-LUOPM-SWYZ5-CNDFY-5FWWC-J6LRA We can add in a locator version of the same value which would specify the DNS name of a service that would resolve the identifier to a credential: who://example.net/[email protected]?TKLBE-LUOPM-SWYZ5-CNDFY-5FWWC-J6LRA [This is equivalent to the news/nntp uri treatment] Yes, I know we can do the same thing in ni, but this is user facing and so every character in the identifier counts. Not going to repeat the OpenID idiocy of using a URI (which was only so that someone could make money from a poxy registry). -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
