Enzo:
> CMS no longer includes any mandatory to implement algorithms. This was
> done so that each application could assign the best algorithms for their
> environment.
>
> For S/MIME version 3.1, the mandatory to implement encryption algorithm is
> Triple-DES. I do not expect this to change. However, there has been
> discussion about making AES a SHOULD implement algorithm. The "Use of AES
> with CMS" specification is finally nearly finished. This is intended to
> send a message to implementors that AES will probably become a MUST
> implement algorithm in the future. At that time, AES would become MUST and
> Triple-DES would become SHOULD (to preserve interoperability with old
> algorithms).
Is backwards interoperability considered a SHOULD? I would think that it's
important enough to make it a MUST (at least for decryption of old
messages).
This depends on time scale. I agree that backwards compatibility is very,
very important. However, at some point, the current MUST will become a
SHOULD and eventually become a MAY. For S/MIME it would be possible to be
even more graceful. For example:
For transmission, the agent MUST implement AES.
For reception, the agent MUST implement AES and Triple-DES.
Russ