ietf-smime
[Top] [All Lists]

Re: Why do people fight about S/MIME vs. PGP rather than use MOSS?

1997-12-01 09:05:08

But back to the internet. Tell me, who invented it? Industry
was in fact not really interested in it before some Physicists at CERN
(again a governmentally founded research organization) invented the
WWW. The industry discovered the WWW as a perfect marketing tool, and
helped spread the HTTP/TCP/IP as the most important informational
revolution since the Television. But did they add any technological
benefit to these protocols? Tell me? 

As one of the longtime membersof that CERN team I can
assure you that Marc Andressen, the founder of Netscape
had more than a minor role in helping develop the technology.
Just because a Netscape PR flack may occasionally give
the impression that he invented everything all by himself
does not mean his contribution should be ignored. I am
also thinking of people such as Ari Luotenen (inventor of
the Web proxy), Rob Mcool (co invented CGI with Ari
along with much else) and Eric Binna (whose contibutions to 
HTML are extensive). Throughout the entire time that 
Dave Raggett has worked on HTML he has been paid 
by HP.

The other reason the 'government funded the Web' meme
is simply inaccurate is that CERN never authorized the 
project. To my knowledge the limit of CERN's support
was to provide two student interns for a year (Henrick
and Ari), thats not to say they were not incredible interns
but from the reports one would imagine that there was a
team of twenty people. Everyone else who worked on the
Web did so by diverting resources from some other 
project. I was meant to be working on C++, instead I 
became the security 'team'. There is absolutely no way
that the resources that CERN provided could have allowed
the Web to come a tenth of the way it has. Support from
industry was absolutely essential. Without it there would 
not have been the money to fund the Web consortium 
after our CERN contracts expired and folk asked about
the stuff we had been 'supposed' to do.


Industry has always had a major role in setting IETF standards.
Anyone who thinks that an IPV6 protocol that was not supported
by CISCO, 3COM et al could survive does not understand the
process. 


First of all it was not RSADSI. It was Rivest, Shamir and Adleman, who
worked at MIT founded by governmental grants (a fact that -- in your
voice -- should discredit the innovative nature of the RSA
algorithm). As much as five (5!) years later, the patent was
claimed. 

This is not true. It was issued five years later but the application
date was six months after it was published. RSADSI was formed
by the patentees to exploit their invention. Ron Rivest was 
Chairman until the SDI buyout and still plays an active role.

This is rubbish, and you know it. There is not much to be
theoretically developed in security today, all knowledge is there for
more than ten years. 

That is simply not true Micali's certificate revocation technique
and the Pedderson phone tick modulus appeared in the past
three years. You may be unaware of developments but that
does not mean that they are not happening. Bruce's book
only contains developments that happened before it went to 
press, funny that.


1. The "userbase"

The userbase that you cite comes easily by having Netscape and
Microsoft select S/MIME. But don't ask how many S/MIME installations
do exist, but how many of them are actually *used*. I'd be interested
in a good statistics that compares actual *users* not posessors of
S/MIME vs. PGP software.

That is not the appropriate measure. What does it take for a
user to abandon a built in facility to use another one?

If I wish to sign an email I know that almost every recipient will
have S/MIME and only a very small number will have gone
to the trouble of downloading PGP. If I wish to allow people
to send me encrypted mail the same argument means that
an X.509 cert wins over a PGP key.

The IETF has been talking about encrypted and signed mail
for the past ten years. The main reason it has not taken off is
that security enhanced mail clients have only ever reached
a fraction of the userbase. As a direct result of SSL every
browser already has a complete RSA suite and X.509v3
certificate suite. It is no accident that they are interested in
a solution that is compatible with that base.

Look at the penetration of plug in applications for browsers.
Shockwave, Vivo, RealAudio etc appear on only a small
fraction of sites despite the ready avaliability of plug ins
and the growing trend for them to be made available at
the same time the browser is.

I can't debug other companies business plans. Hey maybe
Phil Z. is right and he can win this battle. Just don't imagine
that because it is logical to have a common standard and 
Phil Z. is determined not to budge that the mountains are
going to move to him. The mountains seem to have figured
out their idea of what the common standard is and be quite
happy where they are. 


                Phill