TWO EVERYONE INTERESTED IN INTERNET MAIL SECURITY.
I am a member of a EDI standards organization currently preparing a
recommendation for their members on applying Internet E-Mail
standards. Of course, security is a major issue here. Our observation
is that the field is everything else than clear while PGP and S/MIME
camps are fighting each other. Unfortunately, marketing interests
seem to play the major role in that fight. As much as I am confident
in the IETF to stick to its former policy propagating open, freely
available, simple and effective standards, I am nevertheless concerned
that industry is on the edge to do a lot of harm in that field. It
seems already that the "Internet Mail Consortium" will have a strong
impact in IETF standardization, and as the IMC is an industry
consortium, is not committed to the IETF policy.
I have a strong personal distaste with S/MIME, as the PKCS specs
require ASN.1, X500 and other OSI stuff that does not merge very well
with the rest of the Internet infrastructure. Of course the use of
patent encumbered algorithms is a deleterious "feature" of S/MIME --
this also shows whose only real interest it is to have S/MIME. It is
not common sense, it is the profit of one company: RSA Data Security,
Inc. The other industry that present itself as deciples of RSA D.S.
Inc. is there to serve as distributors of patent license royalties.
This is a very similar marketing strategy as we all know far too much
from Bill Gates. Do you really want such attitudes to influence the
Internet?
On the other hand PGP is doing a definite cut in its tradition in
order to move away from patent encumbered algorithms. However, PGP
uses an ad-hoc binary format as well. Even though it is simpler than
ASN.1/DER, it is still unnecessarily obscure, when applied in the
world of MIME.
Unfortunately, the MOSS specification RFC1848 seems to have been
forgotten. MOSS beats both S/MIME and PGP in terms of being open and
straight forward. It fits very well into the MIME world and does not
require any other technology than MIME. And most important, it is not
engaged in any way to a certain set of algorithms. MOSS can be
translated from and to S/MIME as well as traditional or Open PGP. It
transcends the specifics of any of these technology.
I really much like to see MOSS having a future in the Internet
community. I would myself write a concise implementation of a flexible
multi-algorithm MOSS that would be freely available. And I think,
others would do so as well.
Anyway, what I refuse to accept is that the two camps (PGP and S/MIME)
do not try to collaborate. Why don't they sit together, listing their
features in an abstract manner, independent from any format like ASN.1
or PGP's or any technology like X509? These feature-lists could be
merged, in order to come up with an abstract security specification
that includes both approaches. This abstract specification could then
be mapped to concrete technologies, whether MIME (=> MOSS), ASN.1 (=>
PKCS) or the PGP-style. Conversion software could be used as gateways
between these protocols.
If this where done, the IMC or any other involved party could show,
whether their work in the IETF is for the sake of the community or
just for their own market share. Get back to common sense, now! Get
the Internet back into people's hands!
regards
-Gunther
Gunther Schadow-----------Windsteiner Weg 54a, Berlin 14165, FR. Germany
Dept. of Anaesthesia, Benjamin Franklin Univerity Hospital, Berlin.
gusw(_at_)zedat(_dot_)fu-berlin(_dot_)de
http://userpage.fu-berlin.de/~gusw
----------------------------------#include <usual/disclaimer>-----------