We should cut and paste this whole debate from the IMC Resolving
Security mailing list last year :).
There are currently two profiles in the S/MIME spec. A "RESTRICTED"
profile which specifies 40-bit RC2 as a MUST for encryption and
decryption, and an "UNRESTRICTED" profile which specifies 40-bit RC2 and
triple-DES as a MUST for encryption and decryption.
Certainly, if the spec is changed to have only triple-DES, then any two
compliant applications will be able to interoperate (I learned a cool
word from Ned one time: "axiomatic". This is axiomatic. Even if the
spec didn't change, any two compliant applications would be able to
interoperate). I probably used the cool word wrong, but you get my
This leaves the US export-restricted crowd out of the party. I've
started this particular rant over on the 40-bit thread, so go over there
to discuss that one.
From: Raph Levien [SMTP:raph(_at_)acm(_dot_)org]
Sent: Thursday, April 17, 1997 11:12 PM
To: Blake Ramsdell
Cc: 'Paul E. Hoffman'; 'ietf-smime(_at_)imc(_dot_)org'
Subject: RE: Alternative symmetric algorithm freely
(re: RC2 licensing).
On Thu, 17 Apr 1997, Blake Ramsdell wrote:
Yes, I understand that two *particular* implementations can
interoperate. But can *any* two implementations interoperate? No.
Because of US export regulation, you can't possibly answer that question
yes, because there will be a vendor that does not implement the
export-only algorithm unless that algorithm is labeled MUST.
It would be ridiculous for me to say that you had no interoperability at
all -- there is always "identity" interoperability with your own product
(I hope!). I'm sorry if my language wasn't precise. Of course, I may
have been trying to be ridiculous also -- it happens :).
I still don't agree with you. If the IETF specifies (say) Triple-DES as a
MUST algorithm, then *any* two implementations would be able to
interoperate. It's just not the case that there would be any US
exportable implementations of S/MIME. Thus, there would be no reason for
a sending implementation to use an export-only algorithm.