Very nice comparison. I didn't find your comments overly subjective but
rather a statement of experience. I have two comments.
At 4:49 PM 2/14/96, Raph Levien wrote:
MOSS is mostly cryptographically sound. However, the choice of
symmetric encryption algorithm (and key size) is left unspecified.
It is true that the MOSS specification itself does not state which
algorithm to use or its recommended properties. Instead, we continued with
the model PEM established and left the specification of the algorithm as a
separate document: RFC1423. Thus, MOSS does specify RSA and DES, which
fails your criteria for minimum key size, but that is easily fixed.
Perhaps the biggest feature required in the mailer is integration
of key management and the "address book". If this feature is not
implemented in the mailer, then two address books are required - one
to select email addresses, and another to map email addresses to keys.
This approach is used by premail, and is the source of many usability
problems. It would be nice if a database existed which could map email
addresses to public keys without manual intervention, but none of the
proposals on the table are capable of it.
In point of fact, MOSS supports this feature. The email address name form
was included precisely because we figured people would want to continue to
use names with which they were familiar. Further, the email address could
be parsed and the DNS could be used to lookup the public key.
In the TIS/MOSS implementation, it is possible to lookup public keys based
on any data stored with that public key, including the email address.
There are issues with respect to the uniqueness of the name form, but you
could enforce simplifications if you want (my opinion).
Jim
----------------------------------------------------------------------------
James M. Galvin
galvin(_at_)eit(_dot_)com
VeriFone/EIT, PO Box 220, Glenwood, MD 21738 +1 410.795.6882