All,
I have received three comments on section 2.2. I'm interested to see if
anybody has the same or alternate views on the following q/a:
1. Is there an inconsistency between section 2.2 and 2.1; in section 2.1
SHA-1 is SHOULD- while in section 2.2 RSA with SHA-1 is MUST-?
Relooking at this I think there is and RSA with SHA-1 ought to be SHOULD-.
2. Should we add DSA with SHA-256?
I don't think so. The reason we ended up with the text was that RSA became
unencumbered between v3 and v3.1. Now that RSA is unencumbered and
governments seem to be fine with RSA (at least NIST is in the short term),
I'm not sure it's a requirement for S/MIME. Is there anybody out there that
thinks DSA with SHA-256 ought to be a requirement?
3. The "RSA or DSA" words for sending agents have been removed. Should we
add that type of wording back in?
I think we should because as it reads now sending agents SHOULD- support
both RSA and DSA with SHA-1 when it really ought to be or. As a result, I
think we should split the receiving and sending agents requirements in to
separate bullets.
spt