I'd like to raise an issue that is giving me some problems. Currently, the CMS
spec describes a number of algorithms for both authentication and
confidentiality, mandating some of them and leaving others optional.
I believe the right algorithms etc are mandated for S/MIME over the Internet.
But, as CMS is intended for use outside of S/MIME as a 'protocol bucket' by
other applications that may not wish (or may no be able) to support the
mandated algorithm set, surely the best place to specify and mandate algorithms
is in the MSG spec.
That way vendors will be able to claim conformance to CMS without having to
implement the mandatory algorithm set. It will make no difference to those
claiming conformance to S/MIME. To me the latter means conforming to the
profile of CMS/ESS etc. that the MSG spec lays down.
Likewise, it concerns me that the CMS spec is reliant on the X942 spec. Again,
I believe this should be referred to by the MSG spec not CMS.
-------------------------------------------------------------
Darren Harter BSc Hons MBCS CEng
CASM Technical Architect
CASM Programme Office
CESG
Work: dharter(_at_)cesg(_dot_)gov(_dot_)uk
Home: Darren(_dot_)Harter(_at_)bcs(_dot_)org(_dot_)uk