[Top] [All Lists]

Re: Re[2]: Restarting the 40-bit debate

1997-05-08 17:14:52
At 4:40 PM -0700 5/8/97, Keith Moore wrote:
somehow I don't view s/mime as being likely to be used in
broadcast media like usenet or mailing lists.

Well, in the case of mailing lists, you're clearly in disagreement with
many people here. Companies are already writing mailing list managers that
can handle S/MIME and PGP/MIME (and PEM...) for incoming and outgoing mail.
Yes, this is a hard problem with lots of tricky aspects; yes, it is
strongly desired in many communities. I see nothing in S/MIME or PGP/MIME
that prevents their use in mailing lists that can't be overcome.

 I had the idea
that it's primary intended purpose was to provide privacy,
authentication, non-repudiation, etc for interpersonal mail.

Then you didn't read Section 1 of the draft very well. It explicitly states
that S/MIME is inteded for interpersonal mail *AND* non-mail transports
*AND* automated mail transfer agents. I know of developers who are working
in each area.

I believe for all significant applications, FOO/40 as described in Section
2.6 will never get used unless it is explicitly desired by both parties.
Period. If there is some way for me to rewrite Section 2.6 to make this
more painfully obvious than it is now, please suggest wording here.

For valuable data, either the sender will have previous knowledge of the
recipient's capabilities from previous interactions, or the sender will
risk failed decryption on the first try by using tripleDES. The chance that
an individual would send valuable information that absolutely must be
decrypted to someone they do not know the decryption capabilities of seems
highly remote. The chance that an automated system would do so borders on
the absurd. Both might send non-valuable information that could be subject
to a brute-force attack, but no one who understands the value of their data
would purposely use weak encryption on valuable data.

(And, yes, there are plenty of people who don't understand the value of
their data or the security of the Internet. Because we have not come up
with a standard that has attracted much deployment, these people are still
using the most popular form of security, cleartext.)

--Paul E. Hoffman, Director
--Internet Mail Consortium