Steve,
I would like to clarify the point of the presentation I made to the
PEM working group on the integration of PEM and MIME. The point was
that MIME-PEM will soon be completed and will offer functionality
unavailable to a RFC1421 PEM implementation. With the expected
acceptance and deployment of MIME PEM, and because MIME/PEM and RFC
1421 PEM are not compatible, severe interoperability problems will
result.
The MIME-PEM Message Format as defined in the latest Internet Draft
allows the following functionality not available to a RFC1421 PEM
implementation.
- The sending of multi-lingual messages requiring
character sets other than US-ASCII
- The sending of non-text messages such as EDI
- A robust backward compatible with RFC822 readable MIC protected message
The MIME and PEM message formats are not interoperable. While one
can engineer a particular implementation to understand RFC1421 PEM and
MIME-PEM in the same implementation, (Hereafter called Dual) this
gains neither the advantages of MIME nor eliminates the
interoperability problems between MIME-PEM enhanced and RFC1421 PEM
only implementations.
Because MIME/PEM is near completion, and because there is not
currently widespread installed base of RFC1421 PEM implementations, an
opportunity exists to avoid interoperability problems by moving as
directly to MIME-PEM as possible. Because there are no cryptographic
changes between RFC1421 PEM and MIME-PEM, it is conceptually possible
to build gateways and dual implementations between the two message
formats. Unfortunately, rigorous engineering of a transition strategy
serves only to accelerate the deployment of a technology with known
limitations and delay the deployment of a more complete technology.
As I pointed out in an earlier note, the added complexity for a PEM
implementation to be MIME compatible is minimal. (Please read the
MIME-PEM specification and the Appendix A of the MIME specification before
disagreeing) The effort to implement the minimum MIME required to
duplicate the limited functionality of current PEM implementations is
relatively trivial, especially given the number of openly available
MIME implementations.
To agree with Steve Kent, there was significant and understandable
opposition to this notion from current implementors of RFC1421 PEM who
are near ready to ship product. I do however think the minutes
understated the support from users and network operators who currently
use MIME and were strongly in support of deploying a single
technology. Many attendees expressed a strong reluctance to install a
PEM system which does not meet their needs for non-english language
support and which does not support emerging Multimedia mail or EDI
applications.
My motivation for pursuing this proposal so aggressively stems from my
inability to see how the deployment of RFC1421 PEM can be considered
much more than an experimental step. While RFC1421 PEM can be used to
test user acceptance of cryptography and a vehicle for deploying the
necessary key management infrastructure, the lack of support for
currently email usage and requirements will keep it from being widely
useful.
Greg Vaudreuil