Re: [Asrg] E-mail Postmarks

[John Levine <asrg at johnlevine.com>]

>> > That's always been a big problem for S/MIME.  If the keys are signed,
>> > they'll almost certainly be too big for a UDP DNS packet, even with a
>> > binary record format.
>> 
>> If they're large enough to be meaningful, yes.
>
>Why do you need signed keys?  

Depends on the distribution system.  If they come from a generic key
server, you need something to show that they're real.  If they come
from something harder to fake, DNS or a callback via http or smtp or
something, signatures are less likely to be useful.

One place where sigs might be handy is in an organization to have lots
of subdomains.  If you're bigcorp.com, and have subdomains
sales.bigcorp.com, eastpodunkoffice.bigcorp.com, and so forth, you
might want to publish one key for bigcorp.com and use it to sign
individual keys for each subdomain.  For that matter, if you have a
way to publish a per-domain key, you could use it to sign individual
keys for each user and use S/MIME the way it was originally intended.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg