Email Signing Technology Group (MASS) from Hallam-Baker, Phillip on 2004-11-23 (www-xkms@w3.org from November 2004)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 23 Nov 2004 07:53:38 -0800
To: "'Shivaram Mysore'" <shivarammysore@yahoo.com>, XKMS WG <www-xkms@w3.org>
Message-ID: <C6DDA43B91BFDA49AA2F1E473732113E010BED8B@mou1wnexm05.vcorp.ad.vrsn.com>

All,
 
    Long time no see. Folk here may have been following the Domain Keys /
Identified Internet Mail proposals being raised for preventing phishing and
certain types of spam. IIM includes a proposal for a key management server,
I am pushing for this to be XKMS.
 
    The core ESTG/MASS concept is edge to edge signing, however there is a
desire that edge to end, end to edge and end to end all fit in the same
framework, providing a seamless upgrade path from domain level signing to
address and even sub address (policy) level signatures. 
 
 
    To help with the persuasion the group is looking for a minimal C based
client for XKMS/XKISS to allow it to be added to existing authentication
stacks. Has anyone written something of the sort? The objective would be
smallest footprint possible. The bare minimum functionality would be for
XKISS locate.
 
    Also it would be helpful to be able to stand up an open source key
server for testing purposes. Ideally this would support the following
functions:
 
1) XKISS Locate 
        * unsigned is ok, SSL is not required
        * return the key value (only)
 
2) XKRSS Register / Revoke
        * server generated keys would be nice but not essential
        * recover not needed (signature only)
 
The service should return data that has either been registered via the XKRSS
interface or manually configured. Smaller, simpler least complext is best.
 
There are source forge projects for both Domain Keys and IIM. If we work
right here we can hook the XKMS waggon to these projects in such a way that
it works as an additional engine, helping us both to get to our destination
faster and not as a brake.
 
 
If we can get a critical mass of functionality here with low impact on the
complexity of signing servers there is a lot of additional functionality
that can be built out. For example ability to validate the response to a
locate or validate request according to a key supplied thru the ESTG policy
record. We can work out from adding signatures to doing encryption, here I
would suggest using existing PGP or S/MIME formats with XKMS as the key
acquisition mechanism and MASS to provide some level of policy signalling.
 
If this is going to scale for email then the XKMS results would have to be
presigned. There are going to have to be a number of additional specs to
clear up how exactly pieces fit together. There is however a huge momentum
behind the idea of edge email signing.
 
 
        Phill

Received on Tuesday, 23 November 2004 15:53:42 UTC