FYI,
I have posted a new version of the draft S/MIME V3 Client Profile on the web.
You can find it at: http://csrc.nist.gov/pki/smime/draft_SMIMEProfile.pdf
(See http://www.imc.org/ietf-smime/mail-archive/msg00861.html for previous
message with background on the NIST S/MIME V3 Client profile.)
There is also a description of our work at:
http://csrc.nist.gov/pki/smime/welcome.htm
NIST has solicited comments from you and we have incorporated almost
all changes requested into the new document. Most comments received were
editorial in nature, or asked for clarification.
The new draft has these major changes from the previous (May, 2001) draft:
An Executive Summary for Procurement Officials, Implementers,
Vendors, and
Others interested in S/MIME Technology from a less technical
perspective;
A clarification (in Clause 2.4.4) that the path building requirements
are intended to
require that all S/MIME clients be able to transverse
non-hierarchical (e.g., bridge
PKIs) as well as hierarchical PKIs;
Relaxation of the requirement (in Clause 2.3.2) to always require
user notification
when an incoming S/MIME message is signed by a certificate that
contains an email
address that does not match the email address used as "From" address.
(This
change was prompted by NIST's observation that many new certificates
will not
contain email addresses.)
The major unresolved comment on the May draft is the issue of mandating
signed receipt processing support. (See Clauses 2.2., 2.3, and 3.1.) NIST
received
a comment requesting that this mandate be dropped.
The comment argued that including a requirement for signed receipt support
would add
cost and complexity to S/MIME products, and that the cost of this
additional functionality
should be bourne by the agencies that require this service, enabling other
agencies that do
not require the service to obtain less complex and less costly S/MIME v3
client systems.
Agencies that do not want/need signed receipts should not be required to
request it in their
purchases of messaging systems.
NIST has felt that the additional cost and complexity were justified by
ubiquity of signed
receipt support among U.S. Federal Agencies. We intend to resolve this
issue very soon
and then publish the S/MIME V3 Client Profile. We have almost completed the
process
of soliciting U.S. Federal Agencies on this issue.
I will be pleased to receive any further comments on the new draft until the
end of January 2002.
(Note: The old draft and updated information on the NIST S/MIME program are
available at: http://csrc.nist.gov/pki/smime/welcome.htm).
The NIST S/MIME V3 Test Facility (see
http://csrc.nist.gov/pki/smime/smtest.htm) is
not yet operational, but it is expected to become operational (with limited
test
cases at first) during the first quarter of 2002.
Thanks,
Mike Chernick
----------------------------------------------------------------------------------
C. Michael Chernick
+1-301-975-3610 chernick(_at_)nist(_dot_)gov
Computer Security Division
National Institute of Standards and Technology (NIST)
----------------------------------------------------------------------------------