As much as we may hate it, the US Government's refusal to let US
developers ship mail software with stronger security has pretty much
prevented all developers, inside the US and outside, from
implementing strong-encryption-only specs like PGP/MIME.
I don't believe this. First, there are many factors involved besides
US export rules -- including the existance of patents and the
licensing practices of certain firms. PGP has a reputation which
gives it credibility in certain circles and undermines its credibility
in others. Second, people are shipping strong encryption products
both inside and outside the United States.
I think it behooves us to come out with a spec that can be widely
implemented but does not force weak encryption.
People can define and use weak encryption algorithms if they want to.
However, I sincerely doubt that something as weak as 40 bits can be
considered of sufficient quality for the Internet standards track.
Keith