Chris,
I disagree with your characterization of the postion stated by
the memo. The memo addresses the question of whether MSP or the 1988
X.411 security facilities should be used to provide secure messaging
in the DMS. The memo does not say that the security facilities
provided in 1988 X.411 could not be used in general, but rather that
they are inadequate for the security requirements established for DMS,
including the use of U.S. Government-supplied crypto algorithms.
Within this context I do not belive the memo is inaccurate or
misleading.
Note also that when vendors implement the 88 X.411 security
features for the commercial marketplace, they will not be using the
same algorithms which will be employed in the DMS context, nor it is
likely that they will develop software which will meet the stringent
assurance requirements imposed on the systems which will be used in
the DMS. Thus the relevance of COTS X.400 products which embody
commercial grade security technology to the DMS environment is
questionable.
We may succeed in modifying the X.400 recommendations in the
future (e.g., the 1996 version) so that the syntax and semantics allow
for use of the requisite crypto algorithms in a fashion which is not
pessimal from a performance and bandwidth standpoint and so that
UA-enforced access control is explicitly legitimized. However, if
these changes are effected at the P1/3/7 layer, it will requiure MTAs
to be upgraded to accommodate this new syntax, whereas use of MSP is
compatible with existing 88 MTAs (whether they implement any of the 88
security features or not). Moreover, as noted above, the security
assurance issues associated with COTS products will still remain,
so the value of such alignment in the long run is still open to
debate.
Finally, I think it inappropriate to characterize MSP as a
non-standard sub-layer. It is properly a content type which is used
to encapsulate other content types for security purposes. X.400
admits such encapsulation in various forms, e.g., double-enveloping
for security purposes and forwarding of IPMs as body parts. Since 88
X.411 is well suited to the transport of various content types, not
not just P2/P22, the MSP security strategy for UA-UA security seems
consistent with the overall spirit of standards, given the conflcits
between DMS security requirements and the defined, 88 X.400 security
facilities.
As for your investment advice, I don't necessarily disagree,
if one considers the global market for secure email, vs. DMS secure
messaging requirements. However, I do disagree with your claim that a
profile of the existing (88) X.411 security features/protocol could
meet these requirements and I believe that the memo presents (some of
the) evidence which supports that contention.
Steve