From: ned(_dot_)freed(_at_)mrochek(_dot_)com
[mailto:ned(_dot_)freed(_at_)mrochek(_dot_)com]
Another question to think about is whether the IETF really wants to
make a fifth attempt in the email signature area, so far it
has done
PEM, MOSS, PGP & S/MIME.
This point has already been raised by Patrik Falstrom and
others. And if what this group decides to define is yet
another end to end signature scheme, then I am in complete
agreement with him: We have no business rearranging that
particular set of deck chairs a fifth time. Surely the number
five should carry with it at least some indication that this
is not where we should be going...
The specific deficiencies with S/MIME have almost nothing to do with the
specs. The problems lie in the deployed implementations.
The problem that we face is that there is no way to send S/MIME signed mail
today without the risk of an adverse user interface experience, worse there
is no way of incrementally upgrading the deployed S/MIME base.
If I thought there was a way of doing S/MIME instead here I would take it.
I think that what we have here is an application protocol
rather than
a core infrastructure platform.
I guess I disagree - sort of. I think what we have here is a
problem that can in fact be addressed through the creation of
some additional infrastructure, something the IETF is
competent to do. I do agree, however, that what people seem
to be pushing for is yet another foray into the application
space, which is not what we should be doing. (I don't see the
point of discussing the IETF's competence or lack of it given
this is not something I think we should be doing...)
My point is that if the IETF decided to step forward a fifth time and
decides to only address the parts it feels comfortable doing then we will
have a fifth disaster like the previous ones.
The reason for the previous disasters is failing to address the whole
problem and instead cherry picking the part that the IETF feels comfortable
with. The failures of S/MIME do not lie in that space, they are in the
application space.
What we need to do is to address the application space. What the IETF needs
to do is to stand back and leave us to it. There is no shortage of forums
that work in the application space.
FWIW, I don't use either one. I use several clients,
including PMDF MAIL (which I doubt you've heard of, but the
version I use does include provisions for handling HTML),
Netscape Mail, Mulberry on occasion, and a couple of
different webmail clients. These days I frankly have no idea
if this makes me atypical or not.
We are all utterly atypical of the users. If you know what the letters IETF
stand for, let alone attend a meeting you are atypical.
The question is not whether we are atypical, its whether we can put
ourselves in the place of the ordinary user who does not want to become a
techie.
I have used PDMF as it happens, used to have a VMS system that used it.