You can't believe everything that you read. No OpenPGP is not the best
course, nor is S/MIME prohibiting you from using whatever encryption
technology you find exciting. Nor, as PGP is often claiming, is S/MIME
'less secure' than PGP open or otherwise. I've enclosed an article that
is both more current (as far as when it was written), and more accurate.
It was published in this week's Internet Week (formerly Communication
Week) and can also be referenced at the CMP web site:
Internet Week (formerly Communication Week)
<!-- begin article -->September 08, 1997, <!-- Document ID
INW19970908S0035 -->Issue: 680
Section: News & Analysis
S/MIME Protocol Gets Back On Standards Track
By John Fontana
Just when it seemed there was little hope of RSA's S/MIME protocol
becoming an Internet standard, it appears to be back on track.
The Secure Multipurpose Internet Mail Extension (S/MIME) protocol, which
is a trademark of RSA Data Security (www.rsa.com), Redwood City, Calif.,
will be submitted as an informational request for comment (RFC) to the
Internet Engineering Task Force in the next few weeks, said Tim Matthews,
product manager for RSA's S/Mail, an S/MIME developer's kit.
S/MIME has been regarded as a de facto standard for secure messaging for
the past two years. It was all but assured of moving closer to an
Internet Engineering Task Force standard at last month's quarterly
meeting, held in Munich.
But, in a stunning rebuke, it was removed from the docket.
Initially an informational RFC that is based on S/MIMEv2, S/MIME will be
filed with the IETF. That will be followed shortly by the submission of a
plan to establish a working group for S/MIMEv3 within the IETF, according
to Matthews. The formation of a working group is the first step to
creating a standard. S/MIME is a protocol for end-to-end authentication
and privacy for E-mail. S/MIMEv3 is more robust because it allows for the
exchange of encryption keys other than those designed and supported by
RSA.
Doing The Right Thing
Before the plan is submitted, RSA must come to an agreement with the
Internet Society (ISOC), which oversees the IETF, to turn over copyrights
and the trademarked S/MIME name to the ISOC, according to Paul Hoffman,
co-director of the Internet Mail Consortium (www.imc.org) and author of
the S/MIME charter. Once an agreement is reached, the charter can be
submitted and a working group can be formed.
"We are taking advice from the IETF and its security area director so we
can do the right things with the charter," said Matthews. RSA plans to
work on the charter this week at its Developer's Day in San Francisco.
"The working group should be in place by December," said Hoffman. Its
first face-to-face meeting would then be at the next IETF meeting Dec.
8-12 in Washington, D.C.
Questions over S/MIME and RSA's trademark became an issue at the IETF
meeting in Munich. The removal of S/MIME from consideration by the IETF
came as a surprise to vendors who are heavily pushing the protocol in
their messaging products. Momentum behind the specification is being
driven by Lotus Development, Microsoft, Netscape and Novell, among
others.
Netscape has already released S/MIME support, Novell will release support
in two weeks in GroupWise, and the other two plan to implement it this
fall. The four vendors combined account for nearly 25 million seats of
electronic mail.
Major corporations are anxiously awaiting a standard and secure way to
exchange E-mail, which is becoming a transport for many sensitive
documents. S/MIME is seen as a good technical solution even though some
interoperability problems recently surfaced.
Copyright (c) 1997 CMP Media Inc
-----Original Message-----
From: Anthony Daniel
Sent: Wednesday, September 10, 1997 11:45 AM
To: David P. Kemp; smime-dev(_at_)RSA(_dot_)COM @ WORLDTALK;
vic20-users(_at_)RSA(_dot_)COM @
WORLDTALK; ietf-smime(_at_)imc(_dot_)org @ WORLDTALK
Cc: jis(_at_)mit(_dot_)edu @ WORLDTALK
Subject: Re: IETF S/MIME
Imagine what would have happened to the Internet (and to software
developers), if a company like RSA Inc, had copyright and trade secrets
on
the TCP protocol?
Is it not better to leave RSA with their copyrights and secrets (they can
keep them) and move on to a free package that has wide use within the
internet community and has always had published code - with no future
problems on licensing: that is developers/end-user additional costs.
A package tested and open to use whatever algorithms we want to use?
Isn't OPEN PGP the best solution?
Anthony
At 12:03 PM 10/09/97 -0400, David P. Kemp wrote:
It will be interesting to see the minutes from today's S/MIME workshop,
particularly regarding agenda item 3: "progressing S/MIME within the
IETF".
Until now, I held out some hope that that might actually happen.
But an article in Computer Reseller News entitled "RSA's Bidzos takes
issue
with the IETF" (http://techweb.cmp.com/crn, search on bidzos) says that
RSA has no intention of being "bullied" by the IETF, implying that there
is little chance of resolving the licensing issues.
Assuming that the article accurately reflects RSA's position, I fully
support the IETF's decision not to form an S/MIME working group.
At the Memhis BOF, Jeff Schiller stated that the two primary obstacles
were the trade secret status claimed for the RC2 algorithm, and
licensing of the S/MIME trademark. The first issue was addressed by
publication of draft-rivest-rc2desc-00.txt on June 23, so it is
apparently
the second issue which is gumming up the works.
As a way out of this impasse, I propose the formation of an IETF working
group to standardize the Message Security Protocol (MSP) version 5.
The working drafts for MSP v5 would be identical in content to
draft-dusse-smime-msg and draft-dusse-smime-cert except that all
references to the trademarked term "S/MIME" would be replaced with
the term "MSP". The development of MSP v5 (including the message
encoding format and the choice of mandatory algorithms) would be in
accordance with standard IETF procedures, only faster :-).
Any S/MIME(tm) developers interested in pursuing this course, as a way
to move forward?
Any interest in an MSP BOF this December in DC?