Let me state off the bat that I'm taking off any official hat as
author/editor/expert I might have. This is my personal opinion as a
computer user who uses OpenPGP.
I'm distressed by the opinion that I have heard (usually second or more
hand) that somehow base OpenPGP in 2440+ is deprecated, uncool, or
something, and that the way to go is OpnPGP/MIME. I think this is patently
ridiculous. Usually, the way to go is to use base OpenPGP, which for all
its flaws, has one major advantage over all other cryptosystems that I've
used, including OpenPGP/MIME. That advantage is this: It actually works.
Nearly never do I fail to decrypt, verify, etc. an OpenPGP object, and when
I do, the problem can be solved by ASCII armoring the output -- which means
that the problem is implicit line-end translation that damages the binary.
To repeat, this is not a philosophical objection. This is not because I
have some horrid dislike for MIME. Well, all right, I do have a horrid
dislike for MIME, but I have a horrid dislike for MIME solely because it
doesn't work. I'm a practical person. I like any and all technologies that
work without my fussing with them. If we waved a magic wand and these
things started working, I wouldn't object. I would even start says, "Hey,
MIME actually works." But they don't work, and I do dislike them for this
lack.
MIME does one thing well -- putting in files as attachments, and thus
making email a convenient file transfer protocol. This almost always works.
The further one strays from this basic function, the less reliable it is.
Sending a message in HTML and MIME-attaching pictures works pretty
reliably. But by the time you get to doing security multiparts,
interoperability mostly sucks. With OpenPGP/MIME, this is particularly
frustrating because there is almost always a perfectly good way to do the
same thing without MIME that would have worked fine.
Using OpenPGP/MIME makes sense when:
(1) The operation you were going to do needed to use MIME anyway. For
example, you're sending someone an attachment, and you'd like it encrypted.
(2) You're using some feature of OpenPGP/MIME that gives you useful things
you can't get any other way. Parallel signatures spring to mind.
Using OpenPGP/MIME makes no sense when:
(1) Whatever you were doing does little take the "-----BEGIN PGP
MESSAGE-----" header and prefix it with one that says, "Content type:
application/whatever".
(2) Protecting a blob of data has nothing whatsoever to do with MIME. For
example, I know of a banking system that uses OpenPGP encoded messages.
There's no need for MIME here.
MIME-coded messages have great uses. But alas, even to this day, there are
lots of uses of them that aren't quite ready for prime time. Let's face it
-- the majority of mailers don't do MIME correctly, and if I have to pry
apart attachments to get to a clearsigned signature just so I can
re-assemble the thing in a text editor so I can check the signature, I'm
probably not going to do it. It had better be pretty important for me to
take five minutes out of my day to bother. If it's encrypted, it's a lot
easier for me to decide that the message is more akin to the last chance
offers for domain names, offers to buy drugs without prescriptions, and
entreaties to skim off some subsarharan money that I get, and treat the
message the same way.
Jon