I wonder how many non-mail client software companies would want to
implement and export S/MIME products?
Perhaps I was overly broad in my statement that "US companies need to
sell products outside the US and Canada", and I should have said that
"US companies that want to implement S/MIME need to have the ability to
sell products outside the US and Canada". Software is an international
The *teeny number of companies* is 100% of the current and announced
S/MIME vendor market in the US. Every one of them sells outside of the
US and Canada. Small in number compared to the number of companies in
the US, granted. But it is 100% of the US market that is providing
I understand that there is a faction that says that RC2 40-bit should
just be changed from MUST to SHOULD. This will cause a lack of
interoperability. I further understand that there is a faction that
says that RC2 should be removed completely from the algorithm suite.
This will also cause a lack of interoperability.
This is why I don't differentiate between the two -- the outcome is
exactly the same. This is also why I have asked others to propose
alternative US exportable algorithms so that we can keep an exportable
algorithm in the MUST section, and thus have a minimum level of
interoperability. The only ones who have to use it are the ones who are
If you have an idea as to how this debate can continue in an open forum
that is more to your liking, let me know. I'm just trying to figure out
how to fulfill the proposed charter of this working group which
From: Paul E. Hoffman [SMTP:phoffman(_at_)imc(_dot_)org]
Sent: Thursday, April 17, 1997 7:46 PM
Subject: RE: Alternative symmetric algorithm freely
(re: RC2 licensing).
At 6:56 PM -0700 4/17/97, Blake Ramsdell wrote:
1. US companies need to sell products outside the US and Canada
Let's be a bit more specific here. *Some* US companies need to sell
products outside the US and Canada (and Mexico, by the way...). Not all of
them. The ones you are talking about are companies that create mail client
software. They are a teeny minority of US companies.
2. The current discussion about removing RC2 40-bit is about removing
the necessary component from the specification that would allow this
Not necessarily true. Some people would like to remove RC2/40 altogether,
others would prefer to move it to SHOULD or possibly just a list known,
widely-deployed algorithms. I hear no consensus yet, which isn't surprising
given the topic.
In any case, this is the business need, and it appears that the IETF
wants to head the spec in a different direction.
Wrong and wrong.
- It is a business need *for a teeny number of companies*. The vast
majority of US/Canada/Mexico companies have a business need for reliable,
interoperable, secure email. If the IETF can get that with RC2/40, great.
If not, the IETF must listen to the needs of all businesses and still come
up with a spec for reliable, interoperable, secure email.
- "The IETF" doesn't speak with one voice, and thinking that a handful of
comments on one mailing list over two days reflects the voice of the IETF
is just plain silly. The debate is only begun, and not very well I might
--Paul E. Hoffman, Director
--Internet Mail Consortium