I recently set up S/MIME for my email address. While in a day to day sense it is a lot simpler than PGP to use, primarily because native client support is near universal, the set up process was, to say the least, complicated.
By far and away the most complicated part of the process was obtaining the certificate required to sign and encrypt the emails.
Each certificate authority has a different procedure to obtain them; some requiring you to fill out an online form, some requiring a phone conversation (!!!), some would email you a link, others would offer you a direct download. Sometimes the certificate couldn’t be directly used, and would require you to install the certificate into your web browser, and then through some complicated process export them into a format that your email client could use.
S/MIME is mostly deployed within large organisations, so it is likely that it is envisaged that some IT department would take care of generating and installing certificates on a user’s behalf. But, if we want to see it more widely used, we need to streamline this process.
There is, in my mind, no reason why this process can’t be handled in a more streamlined way. Imagine setting up an email account in your mail client, wouldn’t it be cool if the last screen of the wizard prompted you to secure your email address, and gave you a short list of providers to click on? You mail client could then securely communicate with an endpoint, send the email address of the account, and then return and automatically install the generated certificate.
All that needs to happen is for the certificate providers to agree on some sort of protocol to do this, and for one or two email clients to implement it. It is the kind of problem that could be solved by getting a couple of developers from Commodo, Trust, Mozilla and the Microsoft Outlook team in a room for half a day.
How can we make this happen?