ietf-smime
[Top] [All Lists]

Re: Why do people fight about S/MIME vs. PGP rather than use MOSS?

1997-12-01 13:29:48
As far as I remember, MOSS is a MIMEisation of PEM.
PEM is based on X.509 and X.500. PEM imposed a centric view of the security
world (1 IPCA)

So MOSS imply X.509 and then ASN.1 as S/MIME does.

----------
De : Gunther Schadow <gunther(_at_)gusw(_dot_)dialup(_dot_)fu-berlin(_dot_)de>
A : crocker(_at_)cybercash(_dot_)com; galvin(_at_)tis(_dot_)com; 
murphy(_at_)tis(_dot_)com;
ned(_at_)innosoft(_dot_)com
Cc : ietf-ediint(_at_)imc(_dot_)org; ietf-open-pgp(_at_)imc(_dot_)org; 
ietf-pgp-mime(_at_)imc(_dot_)org;
ietf-smime(_at_)imc(_dot_)org; mime-msp(_at_)imc(_dot_)org
Objet : Why do people fight about S/MIME vs. PGP rather than use MOSS?
Date : dimanche 30 novembre 1997 14:39

TWO EVERYONE INTERESTED IN INTERNET MAIL SECURITY.

I am  a member of a  EDI standards organization currently  preparing a
recommendation  for   their   members on  applying    Internet  E-Mail
standards.  Of course, security is a major issue here. Our observation
is that the  field is everything else than  clear while PGP and S/MIME
camps  are fighting each   other.  Unfortunately, marketing  interests
seem to play the major role  in that fight. As  much as I am confident
in the IETF  to stick to its  former  policy propagating open,  freely
available, simple and effective standards, I am nevertheless concerned
that industry is  on the edge to do  a lot of harm in  that field.  It
seems already that the  "Internet Mail Consortium"  will have a strong
impact in  IETF   standardization, and  as  the   IMC is   an industry
consortium, is not committed to the IETF policy.

I   have a strong  personal distaste  with S/MIME,   as the PKCS specs
require ASN.1, X500 and other OSI stuff that  does not merge very well
with  the rest of  the Internet infrastructure.  Of  course the use of
patent encumbered algorithms is  a deleterious "feature" of S/MIME  --
this also shows whose only real interest  it is to  have S/MIME. It is
not common sense, it is the profit  of one company: RSA Data Security,
Inc.  The other  industry that present  itself as deciples of RSA D.S.
Inc.  is  there to serve as distributors  of patent license royalties.
This is a very similar marketing strategy as  we all know far too much
from Bill Gates. Do  you really want  such attitudes to  influence the
Internet?

On the other hand PGP  is doing  a  definite cut  in its tradition  in
order to move  away from  patent  encumbered algorithms. However,  PGP
uses an ad-hoc binary format as  well. Even though  it is simpler than
ASN.1/DER,   it is still unnecessarily  obscure,  when  applied in the
world of MIME. 

Unfortunately, the MOSS  specification   RFC1848 seems to   have  been
forgotten. MOSS beats both S/MIME  and PGP in terms  of being open and
straight forward. It fits  very well into the MIME  world and does not
require any other technology than MIME. And  most important, it is not
engaged  in any way  to a  certain set of    algorithms.  MOSS can  be
translated from and  to S/MIME as well as  traditional or Open PGP. It
transcends the specifics of any of these technology.

I really   much like to  see MOSS  having   a future in   the Internet
community. I would myself write a concise implementation of a flexible
multi-algorithm   MOSS that would be   freely available.  And I think,
others would do so as well. 

Anyway, what I refuse to accept is that the two camps (PGP and S/MIME)
do not try to collaborate.  Why don't they sit together, listing their
features in an abstract manner, independent from any format like ASN.1
or PGP's  or any technology  like X509?  These feature-lists  could be
merged, in order to  come up with  an abstract security  specification
that includes both approaches.  This abstract specification could then
be mapped to concrete technologies, whether  MIME (=> MOSS), ASN.1 (=>
PKCS) or the PGP-style.  Conversion software could be used as gateways
between these protocols.

If this where done,  the IMC or any other  involved party  could show,
whether their work  in the IETF is  for the sake  of the community  or
just  for their own  market share. Get back  to common sense, now! Get
the Internet back into people's hands!

regards
-Gunther

Gunther Schadow-----------Windsteiner Weg 54a, Berlin 14165, FR. Germany
Dept. of Anaesthesia, Benjamin Franklin Univerity Hospital, Berlin.
gusw(_at_)zedat(_dot_)fu-berlin(_dot_)de               
http://userpage.fu-berlin.de/~gusw
----------------------------------#include <usual/disclaimer>-----------