[Top] [All Lists]

RE: Alternative symmetric algorithm freely availableforIETFS/MIME (re: RC2 licensing).

1997-04-17 23:29:38
We should cut and paste this whole debate from the IMC Resolving
Security mailing list last year :).

There are currently two profiles in the S/MIME spec.  A "RESTRICTED"
profile which specifies 40-bit RC2 as a MUST for encryption and
decryption, and an "UNRESTRICTED" profile which specifies 40-bit RC2 and
triple-DES as a MUST for encryption and decryption.

Certainly, if the spec is changed to have only triple-DES, then any two
compliant applications will be able to interoperate (I learned a cool
word from Ned one time:  "axiomatic".  This is axiomatic.  Even if the
spec didn't change, any two compliant applications would be able to
interoperate).  I probably used the cool word wrong, but you get my

This leaves the US export-restricted crowd out of the party.  I've
started this particular rant over on the 40-bit thread, so go over there
to discuss that one.


-----Original Message-----
From:  Raph Levien [SMTP:raph(_at_)acm(_dot_)org]
Sent:  Thursday, April 17, 1997 11:12 PM
To:    Blake Ramsdell
Cc:    'Paul E. Hoffman'; 'ietf-smime(_at_)imc(_dot_)org'
Subject:       RE: Alternative symmetric algorithm freely 
(re: RC2 licensing).

On Thu, 17 Apr 1997, Blake Ramsdell wrote:

Yes, I understand that two *particular* implementations can
interoperate.  But can *any* two implementations interoperate?  No.
Because of US export regulation, you can't possibly answer that question
yes, because there will be a vendor that does not implement the
export-only algorithm unless that algorithm is labeled MUST.

It would be ridiculous for me to say that you had no interoperability at
all -- there is always "identity" interoperability with your own product
(I hope!).  I'm sorry if my language wasn't precise.  Of course, I may
have been trying to be ridiculous also -- it happens :).

I still don't agree with you. If the IETF specifies (say) Triple-DES as a 
MUST algorithm, then *any* two implementations would be able to 
interoperate. It's just not the case that there would be any US 
exportable implementations of S/MIME. Thus, there would be no reason for 
a sending implementation to use an export-only algorithm.