[Top] [All Lists]

RE: draft-ietf-smime-idea

2000-03-03 10:56:01
Firstly, I would like to apologize for the delay of my response (I was busy
on CeBIT).

We highly respect all comments on the draft and would like to proceed in the
following way:

1. we will submit an IPR statement to the IETF and this working group very

2. we will remove all sentences in the draft which could lead to the
impression of marketing; it is not our intention to misuse the draft for
marketing purposes

I would like to remark that the sentence "Organization who make already use
of IDEA for other applications also want to use IDEA in S/MIME." has been
introduced for justification. We sent already an long list of IDEA users in
industry to the SMIME working group (also Mr. Hoffman got this list, and
thus he should not say that he has never heart of anyone wanting to use
IDEA). We can proove that IDEA is widely used in Europe. According to our
experience customers in industry often like to choose a symmetric cipher as
a part of their security policy. This demand should be considered in SMIME,
and that's why we wrote the draft. 

3. The short statement and reference on the security of IDEA has been
introduced in appendix B when Mr. Hoffman asked us to include such a
statement (after submission of draft verion 0). Basically, we reacted on his
doubts about the IDEA security. Anyway, we will remove the statement
"Experts in cryptography consider IDEA to be a highly secure symmetric
cipher [IDEA]" as it can be directly obtained from the stated literature.

Despite different personal opinions about the use of IDEA, we believe, the
customer's desires should be considered. We can proove that big European
companies and banks are using it, and they want to use it in SMIME as well. 

Thanks a lot for your understanding and support.

*Stephan Teiwes, iT_Security AG

-----Original Message-----
From: Russ Housley [mailto:housley(_at_)spyrus(_dot_)com]
Sent: Mittwoch, 23. Februar 2000 20:20
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: draft-ietf-smime-idea


Paul raises some very important points.  Let me share my view as the S/MIME 
Working Group Chair.

1.  We must have an IPR statement for this document to progress to an RFC.

2.  I do not mind some justification text.  Something like: "Organization 
who make already use of IDEA for other applications also want to use IDEA 
in S/MIME."  But, in my opinion, the marketing hype needs to be 
significantly reduced.  The CAST-128 document does not try to convince 
anyone that CAST-128 is appropriate or inappropriate for any particular 
group of users.  The IDEA document should have a similar tone.

3.  I would like this document to become a Standards Track document.  The 
document should state the one and only way that IDEA is used with 
CMS.  Clearly, IDEA will not be mandatory to implement, but if IDEA is 
implemented, then it MUST be done in the manner specified in this 
document.  I cannot recommend that this document become a Standards Track 
RFC until items 1 and 2 are repaired.


At 09:58 AM 02/23/2000 -0800, Paul Hoffman / IMC wrote:
There are a few things in this document that should raise concern.

Appendix C states clearly that this is a patented algorithm for which 
licensing is available. However, it appears that no one has let the IETF 
Secretariat know that. Nothing about IDEA is listed on 
<>. This draft should not be considered until 
there is a formal statement to the IETF.

Parts of the document sounds like a marketing brochure. "Today, IDEA is 
widely applied in electronic business applications." "Especially for those 
organization who make already use of IDEA on a wide scale it is of high 
interest that IDEA is also available in S/MIME." "Experts in cryptography 
consider IDEA to be a highly secure symmetric cipher [IDEA]." And so on.

These seem particularly inappropriate for an RFC. To be frank, I've never 
heard of anyone wanting to use IDEA for anything other than old PGP. The 
folks who wrote PGP had their reasons for choosing IDEA when they did, but 
they dropped IDEA as a required algorithm for OpenPGP and that doesn't 
appear to have negatively affected them. The IETF shouldn't codify this 
kind of marketing hype, even in an Informational RFC. To move forwards 
with this, it would be nice if the authors went through the draft and took 
out the marketing fluff.

--Paul Hoffman, Director
--Internet Mail Consortium

<Prev in Thread] Current Thread [Next in Thread>
  • RE: draft-ietf-smime-idea, Teiwes, Stephan (iT_SEC) <=