Stephen Farrell wrote: > > Peter Gutmann wrote: >> >> Stephen Farrell <[email protected]> writes: >> >>> Is there a particular reason to try focus on enterprises here? >> >> That's about the only environment where it's feasible to deploy S/MIME. > > Sure. And yet smime is only deployed in a tiny fraction > of enterprises and probably only used in a smallish > fraction of the mail sent in those.
I don't think that there exists an implementation of S/MIME that can be reasonably deployed _anywhere_. S/MIME defines PDUs and PDU semantics. Those specs are OK for basic interop. The problem isn't with S/MIME itself, but with how S/MIME typically involves PKIX for certificates and certificate chains and the private key associated with your own cert. What I'm seeing in S/MIME implementations is that S/MIME signatures in archived EMails typically start failing within a year after archival. I have a number of archived EMails from failed attempts to use S/MIME in the enterprise, and they all fail signature validation today, although there was no data corruption, and none of the signer certs have been revoked. In addition, there are a small number of messages that I can no longer open, because renewal/replacement of my user's private key & cert was "managed" in the enterprise setting, and the old/expired PKI credentials weren't kept around by that foolish "enterprise solution". Personally, I'm not aware of an S/MIME solution that works reasonably with archived S/MIME-protected EMails. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
