ietf-smime
[Top] [All Lists]

Re: Reducing signature sizes.

1998-04-09 17:20:51
Blake Ramsdell wrote:

Now part of that is because I'm a jerk, but part of that is because it's
the reactionary "aaah!  It's new and scary and will make the world a
worse place!"  The TNEF I apologize for, and I have fixed -- the other
ones I had to suffer through until people didn't complain.


Yes I agree there is an element of suspicion of anything new. However
there is also the jusifiable argument that some MUA's produce needlessly
large signatures.

I do apply selective judgement as to what messages to sign, however,
since the non-repudiation, integrity and authenticity attributes are not
necessary in most of my communications.  This was something that Paul
pointed out also, I believe.


I suppose it depends to some extent on whether you think people signing
a higher proportion of their messages a good thing(TM). 

People have come to accept the

---- BEGIN PGP SIGNED MESSAGE ----
<signed stuff>
---- BEGIN PGP SIGNATURE ----
<signature stuff>
---- END PGP SIGNATURE ----
---- END PGP SIGNED MESSAGE ----

block in the middle of their text (which may phase out with the use of
PGP/MIME), much as they have come to accept


Well yes. They would be much less willing to accept it if it included
several K of data in the middle.

I would support the specification stating that an S/MIME agent either
SHOULD (or even MUST) give the user the option to not include
certificates in signed messages.

I would support MAY or SHOULD give the user the option.


So we would agree on SHOULD then :-)

Note I'm most certainly not anti-S/MIME, quite the reverse. (I am anti
some of the earlier broken standards and weak acceptance criteria but
that's nothing to do with IETF).

A solution analagous to PGP is possible with some MUA's now in that you
can exclude all your certificates and (optionally) just include a URL in
your signature to point to them. All well and good (if you have the
option). Making the process more automatic would be better (hence my
proposal).

Given that it should (or should that be SHOULD) be necessary to also
check the revocation status of a signers certificate to get a better
degree of assurance and that this necessitates (barring the inclusion of
a potentially large CRL) some repository access of some sort you might
as well get the certificate at the same time.

Steve.
-- 
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant.
Email: shenson(_at_)bigfoot(_dot_)com
PGP key: http://www.drh-consultancy.demon.co.uk/key.asc


<Prev in Thread] Current Thread [Next in Thread>