Should I use S/MIME?

[Simon Josefsson]

"Mark H. Wood" <mwood at IUPUI.Edu> writes:

> On Sat, 6 Nov 2004, Simon Josefsson wrote:
> [snip]
>> If someone knows of a public X.509 CA that issue you a certificate if
>> you prove possession of a private key and an email address, I am
>> interested and would recommend it to others.  Heck, even one that give
>> you a certificate and a private key if you prove possession of an
>> email address would suffice.
>
> Whether that is a good idea or not depends on what you (as the sender,
> *or* as the recipient) want an identity document to mean.  If it's good
> enough to be able to strongly suggest that the sender of message A and the
> sender of message B are the same (possibly unknown) person, then these
> essentially anonymous certificates should suffice.  If, on the other hand,
> someone wishes to identify the sender of a message with some entity or
> event outside the realm of e-mail (and there are legitimate reasons to do
> so) then more investigation is needed to bind the certificate to that
> other identity.

Right, I agree.

However, in the case of CACert, it seems suspect to give out privacy
critical information to someone you don't have a paper contract with.
CACert try to suggest that their service provide a strong binding of
the certificate and the real person, but it really doesn't.  They only
seem to verify the e-mail <-> certificate binding.  I think it would
give a better impression of a service to only ask for personal
information that they actually verify, than to ask for personal
information just because they think they need it.

Btw, someone suggested www.trustcenter.de as an example of a CA I
asked for above.  I enrolled for a certificate, they asked me for my
personal name, e-mail address and gender, and I got a certificate.
Nice work, even though it could be improved by making the personal
name and gender optional.  Of course, giving out TLS web server
certificates for free would also be useful.