Reconsider S/MIME

They already do, signatures are shown on both mobile and web. Gsuite users can also encrypt and sign.

Well most of the buy-in has already been done, it's just relatively inaccessible for most end-users.

Estonia and probably some others have given everyone an S/MIME certificate, stored on a Smartcard. So yes, the key is not exactly generated by you, but it's in theory generated by the Smartcard and also identity-validated.
These systems would interoperate but do a bit separate things.

Probably because you can get an OpenPGP key pair without paying someone.

3 Likes

by the way there is a test implementation of rfc8823 (smime acme) on my github
orangepizza/pebble email branch

client doesn't really deploy the certificate, just print the pem format of certificate into stdout though

4 Likes

They don't exist, because S/MIME is a relatively independent standard that doesn't require a central registry or trust. It can be augmented with that, which is what several countries have done, and the CA/B forum has a working group to explore rolling out certification and requirements (see S/MIME Certificate Working Group – CAB Forum ). That being said, the CA/B forum has a working group on this, so standards are likely coming and LetsEncrypt would have to abide by them once that happens.

The "issuer" of the S/MIME certificate is largely irrelevant; existing standards like DSIG and FOAF can connect all the dots on identity to a S/MIME key. I can't remember if it was Bell Labs or IBM that ran a pgp keyserver web-of-trust as a proof of concept in the early-mid 90s (I sign your key, you sign mine, etc), to map social connections though personal certificates.

IMHO, the following are all true:

  • The internet would be better with S/MIME being more accessible, especially to the general public.
  • A public interest non-profit is the best option to advance it, before large tech companies start to compete on it. Eventually they will, and consumers will be juggling one or more corporate allegiances/personas.
  • LetsEncrypt is a terrible candidate to increase S/MIME; it would require at least a doubling of their product, engineering and computing resources – and they have a large backlog of SSL Certificate features, alongside future resources already allocated for expected growth.

I honestly just can't envision ISRG meaningfully advancing S/MIME in any way without extensive fundraising - but still somewhat sabotaging their ACME services.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.