On Wednesday, May 16, 2018 at 2:16:14 AM UTC-4, Tim Hollebeek wrote:
> This is the point I most strongly agree with.
>
> I do not think it's at odds with the LAMPS charter for 6844-bis, because I do
> not think it's at odds with 6844.
Updating 6844 is easy. Just define the tag and specify scope for issue /
issuewild / issueclient sensibly.
But that is only half the job really. If we want to get S/MIME widely used, we
have to do ACME for client certs and integrate it into the MUAs. Not difficult
but something needing to be done.
More difficult is working out what an S/MIME CA does, where organizational
validation etc. adds value and how this relates to the OpenPGP way of doing
things.
It occurred to me last night that the difference between S/MIME and OpenPGP
trust is that one if by reference and the other is by value. S/MIME is
certainly the solution for Paypal like situations because the trust
relationship is (usually) with Paypal, not the individual I am talking to. Key
fingerprints have the advantage of binding to the person which may be an
advantage for non organizational situations.
These are not disjoint sets of course and there is no reason to switch mail
encryption technologies depending on the context in which we are communicating.
I would rather add certificate capabilities to OpenPGP-as-deployed and/or
S/MIME-as-deployed.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy