Well, last summer I was able to use PKCS (TIPEM from RSADSI) and
MIME-encode the binary output to send via Mail. It worked well.
I was able to have most stuff automated, and in this manner one
could sign a portion of the mail and leave the rest as normal
MIME mail. I used "application/pkcs" as the content-type.
One problem with this is that you lose the MIC-CLEAR type of mail,
since MIME will encode the whole PKCS output in IA5 encoding, so the
plain-text will get re-coded in MIME.
If you have a PEM message (as per the new 1113,4,5, et al docs), and
encode it in MIME, even if MIME changes the bit-values, the CHARCATERS
should remain the same. (An 'A' is an 'A', no matter how you encode
it). Well, the IA5 definition is a 6-bit encoding to a LETTER, not a
6-bit encoding to an ASCII representation of that encoding...
Basically, there are two questions at hand:
1) Should PEM be a sub-set of MIME, and if so, how can we make the
interoperation between them as smooth as possible.
2) If PEM is NOT going to be a subset of MIME, then how can we keep
them interoperating, so that they dont get in the others' way.
My example of PKCS in MIME shows that they can interoperate, at some
level. The question is, how hard are we going to have to work to get
them to work at all levels, and how soon can we get this working
code deployed in the field so that it gets real usage.
As a side note about PGP: I think one of the main reasons PGP has
taken off is that:
1) its free
2) its widely available
3) there arent any administrative overhead-caused headaches
4) its easy to use
5) its available NOW.
However, on a different note, I don't see PGP as being useful in the
legal sence, where PEM could be... PEM's signatures could,
theoretically, be used to electronically sign documents, whereas I
dont see PGP as being able to do this.
I'd like to see PEM deployed, but we need to get our acts together
and just do it...
Comments?
-derek