--- Craig McGregor <Craig(_dot_)McGregor(_at_)treasury(_dot_)govt(_dot_)nz>
The proposed solutions that use existing signature structures (e.g.
S/MIME) are not receiving the same amount of "advocacy" as the proposals
that propose to invent new signature or verification schemes. This is a
somewhat surprising because existing running code is always preferable
and S/MIME already has many independent implementations. There really
would need to be some pretty good reasons to ignore S/MIME structures
and create something new. What are they?
Actually I ask the same question in reverse. There really needs to be some
pretty good reasons why we would even consider S/MIME.
After all, it's a complex, niche technology. It's not deployed or implemented
in the main Internet email programs that MASS is concerned about. It mostly
addresses different problems than what we want to solve and it's a disruptive
encapsulation that forces the creation of an Internet perimeter which does not
readily exist in practice.
As others have pointed out, S/MIME is just one of five existing email
authentication standards. What makes S/MIME so special that it should even be
looked at, yet alone in preference to other efforts? Apart from niche
deployment comparable to pgp, what does it bring to the table exactly?
That it exists and is a standard and that people have labored long and hard
over it are not good reasons. If that were the selection criteria we'd all be
using X.400 by now. No, our solution needs to be the best candidate for the
job. If S/MIME wants to make a claim to that, it needs to show good reason why
it should be considered.