On Tue, 5 Oct 2004, Dave Crocker wrote:
If i have understood the concerns correctly, the suggestion is to
use s/mime or pgp because they are well-established.
There are observations that s/mime and pgp do not
a) protect headers
b) use domain-scope identification
c) DNS-based key validation (or acquisition)
d) header-based attribute encoding
The response I am hearing is that there are no inherent
difficulties in making the changes to s/mime or pgp to cover
these.
I am not understanding how "making the changes" differs from a
design and development effort.
It is a "design and development effort" but its may well be less of an
effort then "new design and development". Please do make sure to point a
difference instead of implying its one and the same.
There is a reason why so much is build on existing infrastructure -
it saves time on development and lets use existing set of libraries for
multiple tasks.
And if I understand correctly, it has always been IETF goal to limit
fundamental set of core protocols and allow new ones to build upon them.
This is the reason for BEEP as a way to build core for other XML based
protocol, this is a reason for TLS and way to build channel-based
encryption for other protocols and I can name few more examples.
Now do you really think its easier to add encryption into protocol by
revinventing TLS or is it easier to use use existing documented way and
existing set of libraries? So, if we can build upon existing base -
we should!
So I am not understanding what the benefit is, in starting with
systems that have poor usage histories
Usage histories are poor because they relay on educating large base of
hundreds of millions of end-users about how to use S/MIME or PGP. If we
relay on MTAs and automated this task, the only people to educate are
mail server admins and this I believe is achievable since these techs
are a lot more fluent in what secure email communication is all about.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/