I disagree. If the standard claims to provide a certain degree of
privacy and authentication, but doesn't mandate that implementations
use cryptographic algorithms and key lengths sufficient to ensure
that degree of privacy or authentication, the standard has failed
to make good on its claims.
<sigh> Keith, for the nth time. Please stick to the spec. Please quote the
spec. That's why we wrote it and are asking for comments.
The spec does claim to provide privacy and security.
S/MIME provides the following cryptographic security services for
electronic messaging applications: authentication, message integrity
and non-repudiation of origin (using digital signatures) and privacy
and data security (using encryption)
I tend to believe that a spec should never say simply "this spec
provides security" because the question is one of degree.
Even with a longer key, I'd have to question whether the FOO
algorithm has received sufficient public review to make it the
only "MUST support" algorithm in the standard.
There is no FOO algorthim. The spec says there are multiple candidates for
what it will be replaced with. Clearly, I thought.
Any algorithm chosen as part of the standard needs to have enjoyed
significant public review.