domainkeys-feedbackbase01(_at_)yahoo(_dot_)com wrote on Wednesday, 6 October
2004 7:32
p.m.
--- Craig McGregor <Craig(_dot_)McGregor(_at_)treasury(_dot_)govt(_dot_)nz>
wrote:
The proposed solutions that use existing signature structures (e.g.
S/MIME) are not receiving the same amount of "advocacy" as the
proposals that propose to invent new signature or verification
schemes. This is a somewhat surprising because existing running code
is always preferable and S/MIME already has many independent
implementations. There really would need to be some pretty good
reasons to ignore S/MIME structures and create something new. What are
they?
Actually I ask the same question in reverse. There really needs to be some
pretty good
reasons why we would even consider S/MIME.
After all, it's a complex, niche technology. It's not deployed or
implemented in the main
Internet email programs that MASS is concerned about.
Complex and niche are relative terms. S/Mime is not necessarily complex or
niche to all persons with an interest in this initiative. Please specify
the "main" email programs that MASS is expected to concern itself with.
It mostly addresses different
problems than what we want to solve and it's a disruptive encapsulation
that forces the
creation of an Internet perimeter which does not readily exist in practice.
I understand from the discussion about alternatives that the most successful
ones are those that do make a distinction between mail passing through the
"internet perimeter" and mail that stays on only one side of it. This is in
fact the widespread practice of *ALL* organisations that are serious about
their on-line security through the deployment of firewall devices with
trusted and untrusted zones where internet traffic have quite different
policies applied in respect of access to services or information.
As others have pointed out, S/MIME is just one of five existing email
authentication
standards. What makes S/MIME so special that it should even be looked at,
yet alone in
preference to other efforts?
From my point of view, what makes it special is that it is currently in use
for just this purpose, has been so for over three years, and is expected to
be deployed even wider in the same context (viz New Zealand Government
communications).
The solution can be implemented with existing standard products, so no
development is required. You might also like to look at the Open Group
initiative, which is intended to deliver a very similar solution for MHDC
(http://www.opengroup.org/messaging for more information).
Apart from niche deployment comparable to pgp, what does it
bring to the table exactly?
That it exists and is a standard and that people have labored long and hard
over it are not
good reasons. If that were the selection criteria we'd all be using X.400
by now. No, our
solution needs to be the best candidate for the job. If S/MIME wants to
make a claim to
that, it needs to show good reason why it should be considered.
Some good reasons shown :-)
James