But the critical word was not in the discussion. Dimitri’s observation that the groups are really divided by id-kp- is the critical point in my mind because it also shows where the boundary lies between CABForum and IETF.
S/MIME needs some serious fixing. It is currently a niche product that has a userbase in the low millions, most of whom use it on an occasional basis at best. Meanwhile the Internet has a billion users and email attacks have changed the course of recent history. > On May 17, 2018, at 10:18 PM, Ryan Sleevi <[email protected]> wrote: > > > > On Thu, May 17, 2018 at 9:53 PM, Phillip <[email protected] > <mailto:[email protected]>> wrote: > We seem to have a terminology issue here. What is a server? This is obvious > in HTTP but far from obvious in the context of email because there is an > inbound and an outbound ‘server’ and it acts as a client and a server at > different times. > > > I'm afraid that discussion misses an important word in the discussion - > server *certificate*. That word helps us clarify that we're speaking about > certificates and their capabilities, not about the different flows in > different protocols. If I use an id-kp-serverAuth certificate with a SAN of > "www.google.com <http://www.google.com/>", this does not somehow mean I > exempt from the BRs or the existing scope of the server certificate working > group. > > So I think we can avoid such discussions about the terminology of servers, > and instead focus on the certificates and the existing charted working group, > which handles such certificates, regardless of the service context or the > role within the protocol. > > > > > I agree that certificates used to authenticate Mail Transport Agents are > properly part of what the Server WG is specifying. But they may be used by a > host acting as a TLS ‘server’ or ‘client’. > > > > > > Another little oddity is that we are assuming that the entity a CA validates > and issues certificates to in the S/MIME world is properly the end user > rather than the organization. That might not be the right approach. If what > the CA is effectively validating is ‘example.com <http://example.com/>’, and > not ‘alice@’, maybe it is better to perform validation on the organization. > > > I think that's something that could be discussed by the S/MIME WG - with a > refined charter scoped to S/MIME BRs. That discussion does not seem to > conflict with such a charter scoped simply to the BRs, as what you're > discussing is validation methods, which would be rather premature to discuss > in the absence of such a chartered group.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
