Well, there is one problem, and it's due to the store-and-forward nature of
e-mail which prevents negotiation, making it impossible to know whether a
given algorithm is supported by a new recipient (think, e.g., of signed
messages sent to mailing list). The result is that everybody ends up using
ONLY the common denominator, i.e. the "MUST" algorithms. Incidentally, this
was precisely the root of the trouble with 40-bit security in the bad old
days: a sort of Gresham's Law for algorithms...
In my opinion, "MAY" algorithms are pretty useless in non-interactive
contexts, and if DSA is not kept as a "MUST" (my preferred choice), it might
as well be dropped altogether.
Enzo
Although it isn't strictly interactive in the sense that SSL is, the
SMIMECapabilities attribute allows the originator of a message to indicate his
preference as to encryption algorithms, including 40-bit RC4 vs. 56-bit DES vs.
128-bit whatever vs. 196-bit triple-DES (and soon, presumably, 256-bit AES).
(Granted, some implementations ignore the attribute and default to the lowest
common denominator (boo, hiss), and others use whatever algorithm and key size
the originator selects, regardless of what the recipient specified.)
I don't have the text in front of me, but isn't it possible to indicate the
preferred key exchange and signature algorithms (and hashing algorithms, in
order to handle SHA-384 and SHA-512) in the same manner?
If not, it probably ought to be amended.
Bob