Jeremey Barrett <jeremey(_at_)bluemoney(_dot_)com> wrote:
It is equally obvious to the non-MIME mail reader that this ASCII
armored mail message was signed. However, it is not obvious that
a PGP/MIME signed message has anything but gibberish in it. Ever
used 'mail' to read a MIME message? :-)
No, and I never tried to write a device driver using 'cat'. I know
it can be done but so what? There comes a time when you just have to
admit that there is only so far that you will go to be backwards
compatible and these "but what if the mail agent doesn't understand
MIME?" cries are becoming a bit rediculous. Contrary to the claims
being made, a vast majority of the mail agents in use today support
reading MIME message (and most of the people who are still using
/bin/mail or versions of elm compiled in the 1980s are smart enough
to be able to pipe things through mmencode, etc.)
In some cases, it is useful. In other cases, it's the wrong policy.
As Jon pointed out, PGP is not email software, there are a host
of other applications for PGP, which might well benefit (and do)
from ASCII armor.
I hate to burst the bubble of everyone at PGP, Inc. but right now and
for the forseeable future PGP is _only_ email. It is not for general
purpose encryption because in those cases people use toolkits that do
not carry around as much bogus baggage as PGP does (like Ascii
Armoring for example...)
My point is that _requiring_ MIME eliminates a set of users. That's
all. Eliminating users decreases the security of the system, because
less people have the necessary tools. If security is the goal (and
as I read the wg charter, "The whole purpose of Open-PGP is to
provide
security services") then the elimination of ASCII armor is
contradictory to the goals of the wg, IMO. It should be a MUST.
Requiring MIME eliminates a very small set of users and makes it
easier for developers to include support in future mailers so that
those people stuck with obsolete mail agents can find a new and
better one without too much trouble. Eliminating Ascii Armor has
nothing to do with the security of the system (other than increasing
its complexity and the probability of bugs), if the tools use
Internet-Standard parts then it is likely that there will be more
tools available and more users.
jim