On Wed, Sep 23, 2015 at 4:03 PM, Melinda Shore <melinda.shore@xxxxxxxxx> wrote:
I think I'd understand the objections and agree with many of
the concerns being expressed if this were a standards-track
document, but it's not. It specifies a record type for
experimental purposes, to increase the likelihood that people
playing around with implementation implement the same things.
It's somewhere between annoying and frustrating that an
experimental document is being held to the same level of
baked-ness that we expect of an internet standard.
I have already seen this experiment being used as an argument to drop support for S/MIME roots in a root store.
The earlier projects that raised my concern were also 'experimental' or otherwise outside standards track.
I have no problem with the draft going forward, provided that there is a statement that I and other people making proposals can point to stating that this is not going to block other approaches.
For example, if you have an organization that is hierarchical such as the US federal government, the simplest way to deploy end-to-end email in the organization would be to deploy a PKIX CA to issue S/MIME certificates, store the certificates in a Web server [*] and stick the address of the web server and the fingerprint of the intermediate KSK in a DNS record.
With this approach you have a separation in the service protocols that matches the separation of duties in the typical enterprise. DNS is an infrastructure that describes services, not an enterprise that describes people.
[*] not a directory, not X.500, not LDAP, no a Web server that works and does not require a $50,000 consult to configure it. X.500 directory was the best wheeze the NSA ever had to sabotage PKI deployment and LDAP is just as bad.