Robert Jeuneman writes:
Eric,
Thanks for your comments. I hadn't considered the possible difference
in scope between the S/MIME Message Specification and the CMS, but I can
see that CMS might have broader applicability, and hence, differing
requirements.
This is also the reason why there are, on close examination, no MUSTs
or SHOULDs in CMS.
With respect to the issue of bcc'ing the originator on an encrypted
message, although I suppose it is possible that the originator doesn't
have a public encryption key, this seems mildly unlikely, so I am more
inclined to agree with William Whyte's comment.
I'm not sure that the My Esteemed Colleague's comment was anything
more than a point of information. There will be situations when an
application should include an originator key, but there are also counter
examples. Locking a MUST into the standard is unnecessary, particularly
since there's no compelling interoperability or security issue.
I wish I could find where I read that statement -- I thought it was in =
one of the RFC's, but I can't find it.
draft-ietf-smime-msg-08.txt, section 3.3
Also, it should be noted that switching from MUST RC4 to MUST tripleDES
was the very first thing the ietf-smime group did, back 2 years ago.
There was a lot of discussion back then, all of it available on the IMC
mail archive. Not intended as a brush-off: there was a lot of relevant
debate.
Regards,
Bob
Andrew.