On Mon, Feb 3, 2014 at 10:12 AM, John C Klensin <john-ietf@xxxxxxx> wrote:
--On Monday, February 03, 2014 09:05 -0500 Theodore Ts'o
<tytso@xxxxxxx> wrote:> If this is being done via https, and you trust that the CA forRight. Very weak authentication of individual identity but,
> ietf.org is doing a competent job, and *all* CA's and sub-CA's
> trusted by your browser are doing a competent job, then this
> will basically do what you want, and it doesn't require people
> to show up at a PGP signing party. The user experience
> becomes that which is needed when you sign up for a Google, or
> Yahoo, or any other web site which demands that you prove that
> you have a valid e-mail address.
given the above assumptions, decent-or-better authentication of
ownership of keys, addresses, and identity-persistence. Whether
that is good enough depends on one's concerns and attack
scenarios -- for the IETF list, I'd imagine almost no one would
care. And, of course, the requirement of competence by "*all*
CA's and sub-CA's trusted by your browser" doesn't pass a laugh
test these days unless one is paranoid and geeky enough to edit
browser CA lists down to those one actually has reason to trust.
On another list we have pretty much agreed that we are not interested in checking government issued ID in an IETF context.
Now there are many contexts where checking government issued IDs or employment badges or the like makes a lot of sense and Comodo is one of many CAs that support that type of enterprise need. But it is clear that we are not in that situation here.
So what validation process is there for me to validate against? All I can see is checking the email address with some sort of callback loop.
One of the reasons S/MIME has taken so long to take off is that people built the toll booths before the highway. In a world in which everyone is sending encrypted emails there are many ways for CAs to make money but we are not yet in that world.
The place where I think the CA industry is best placed to add most value is on the relying party side rather than the subject. Email trust infrastructures will necessarily be complex and there will be a need for those trust infrastructures to be curated.
Very few users are going to be 'geeky enough' to weed out their CA list but there are companies that will do that for them. And its not just CA lists, it is working out what key services are worth bothering with, evaluating webs of trust and the like.
I think there are banks who would very much like to be able to send their customers end-to-end encrypted email provided that the usability issues with current offerings are addressed.
Website: http://hallambaker.com/