From: Paul Hoffman / IMC <phoffman(_at_)imc(_dot_)org>
I think that the S/MIME spec should simply get out of the PKI business.
I agree completely.
Unfortunately, PKIX part 3, which specifies how to do these actions, is
still not around, and I suspect it is many months off due to political
hassles in the PKIX WG. The CMP/CRS/CRMF debates seem like so much
posturing, given that all parties agree that the other parties have no or
few technical problems.
I sincerely hope that this assessment turns out to be pessimistic. We
(with PKIX hat on here) are working seriously to produce a harmonized
Certificate Request Message Format (CRMF) document and a companion
Certificate Management Message Formats (CMMF) document which will
enable all current CMP and CRS functionality using a common set of PKI
messages. The identical message set will be protected and transported
using either PKIX-3 (CMP) or CMS, depending on the application.
We had set an internal deadline of Dec 31 to have a proposal ready
for presentation to the full PKIX WG, and obviously failed to meet
that target. I do still have hope that the proposal (CRMF, CMMF and
CMP) will be ready for last call within a matter of weeks, not months.
The CMS-based protection framework should follow sometime thereafter.
However, they are absolutely getting in the way of S/MIME.
This point cannot be stressed strongly enough! Paul, you are not
shy about expressing your opinions at IETF meetings. But other S/MIME
developers need to send a clear message to our PKI product vendors
that the lack of a single PKIX standard for PKI management messages
is getting in the way of business.