Yoav Nir <ynir.ietf@xxxxxxxxx> wrote:
>> OpenPGP format permits a (public) key blog on contain many signing
>> (sub)keys, and so distributing a public key with a set of subkeys
>> where the private keys are stored into laptops and phones, etc. would
>> work.
>>> You end up reading encrypted mail only using one MUA, which is one
>>> more thing dragging the use of S/Mime down.
>> Agreed; I'm not sure if PKIX has a subkey concept. I suspect it's in
>> a standard, but I'm unclear if it was ever deployed.
> That works OK for signatures, but for encryption? You’d have to
> encrypt the message with each subkey. Yeah, I know only the symmetric
> key gets encrypted but it’s still ugly.
I'm pretty sure that the spec already says to do that.
> And we haven’t even mentioned the web MUA and where it stores the
> private keys.
There are existing S/MIME and PGP plugins and extensions for browsers that do
this. I'm aware of one that has received significant commercial success in
some quarters. I think that they can use the javascript local storage for
private keys, but I suspect that they also have options to store them
encrypted elsewhere.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works
-= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature