ietf-smime
[Top] [All Lists]

Re: Restarting the 40-bit debate

1997-05-08 07:54:05
From: Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>

You seem to be of the opinion that IETF exists to provide market
opportunities to US companies.  You also seem to be of the opinion
that US companies are somehow "members" of IETF.  Finally, you seem
to believe that IETF's mission is to endorse the Clinton administraton's
cryptography policy by developing standards which are consistent with
that policy.

You seem to be of the opinion that the IETF policy is to promulgate
standards that will not be commercially successful.  PEM, for example
was a well designed mechanism from a security point of view, but failed
because it was not flexible enough to accommodate the needs of its users.

You seem to be of the opinion that "quality" is a one-dimensional attribute,
viz:

   "However, I sincerely doubt that something as weak as 40 bits can be
    considered of sufficient quality for the Internet standards track."

That's like saying Consumer Reports quality ratings for cars depends only
on horsepower.  Certainly more is better, but claiming that a 1.8L BMW is
of poorer quality than a 4.3L Cavalier is counter-intuitive.  There is more
than one dimension to be considered.

I would argue that "widespread deployment" is one of the more important
quality criteria for IETF standards.  I believe that John Gilmore, who is no
fan of the U.S. Government, would agree - his cryptowall proposal accepted
unauthenticated keys as the tradeoff for achieving actual usage.


The statement

   "You also seem to be of the opinion that US companies are
    somehow "members" of IETF."

is mere sound-bite rhetoric, containing more heat than light.

No one, certainly not Blake, is under the misapprehension that the IETF
has a membership roster or that companies, governments, or universities,
US or otherwise, are enrolled as members.  Individuals who contribute to
the IETF, including the S/MIME working group if it eventually exists,
represent their own interests.  Those interests may or may not be
highly correlated with the interests of their employers/affiliates. I would
expect that the smaller the organization, the tighter the correlation.
Small software developers should have a particularly strong interest in
ensuring that whatever standards they labor to develop will result in
increased sales for their companies.

Academics, for good or ill, don't have the same incentives.  So feel free
to contribute to the process, but please refrain from denigrating the
motives of the rest of the participants.