Hi, We’re a team working on an email encryption app. I am always a looking for better ways to simplify the use of S/MIME, because I believe that the current PKI is the main reason for people not to use S/MIME.
Hence, I’m currently working through RFC 8162 which looked very promising to me. However, while doing so, I stumble upon the fact that it seems to require an SMIME record for each email address – or more precise: for each possible local part of the email address. That does not make lot of sense to me, but I would expect that you have your reasons, which I just don’t understand. Let me explain what I’m trying to achieve: There are numerous companies (including my own little team) that establish there own CA. I’m looking for a way to publish to the root certificate of such a CA in a way that it can automatically be retrieved and trusted by a remote mail client. It seemed like this could be with DANE using the SMIMEA record. I would expect that I can publish an SMIMEA record with certificate usage 0 (PKIX-TA) that would be retrieved and used to validate the PKIX path. Well, as I understand the RFC, that could be done, but I would have to repeat it for each and every possible local part of the email address. However, I would rather want to publish just one record for the domain part, no matter which local part is used in the email address. So my question is: Did you think of this scenario? Why is this option not described in the RFC? Am I missing something? Thank you very much! Kind regards Metin -- Metin Savignano savignano software solutions Königsallee 43 71638 Ludwigsburg Germany t +49-7141-13345-11 m +49-177-1971798 Import my contact data with one click from https://secure.savignano.net/vcard/metinsavignano.vcf
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
