: There is no scope or purpose to PEM.
Mark> I think there is a purpose: to create a secure, authenticated
communications channel for messaging. Prior to this, face to face
meetings were the main method of conducting secure, authenticated
communication.
That may be a very good purpose, but its not in the documentation, nor
does it happen to square with the purpose that I would posit - "That PEM
provides for email what a signature and envelope provide for snail
mail". (Not sure how a face-face meeting can be authenticated after the
fact unless witnesses are present.) But that's just the point -- There
is no (common) scope or purpose to PEM. (For those who really believe
that it's in the RFC, those just describe process, not intended
audience, scope of application, purpose for privacy, point of
authentication, who the users might be, exactly what an "origin" is,
etc., etc., etc.)
- -
: I can't even get a cogent explanation of the : reasons for using
public key technology. (I know -- it "SCALES well??)
Mark> This one is easy, it was elaborated by W. Diffie and Hellman in
their original papers and drove the development of public key
encryption: all necessary keys and messages can be exchanged in a
single communications channel without risking exposure of the key to the
message. All other techniques require an independent, secure channel to
communicate a key.
No quite so easy as all that Mark - You still need the independent,
secure channel to establish the trust - ie. to get the certificate, and
to verify the certificate. No one has ever explained to me how that is
significantly different from manual key distribution, which is what I
infer your comment to be referencing. Most people in explaining their
love affair with public key gave up on all the original reasons why it
is good as listed in the early literature, and now have a new set of
reasons - "the level of trust in the third party is less" or some such
intangible. All the hard reasons for preferring public key evaporate
under the cold light of inspection. (By the way, Diffie/Hellman key
exchange requires a two way channel and will not operate efficiently in
a single one-directional channel such as that used in email.)
I hope the rest of you don't make the Steve Kent mistake; because I
don't accept the standard line DOES NOT MEAN THAT I AM AGAINST PEM. I
only want to find the true reasons for using public key in PEM. They do
not seem to be enumerated anywhere. I guess that I have been
disappointed by so many prior efforts at introducing security to
communications in the US that I come to the party a little skeptical. I
find that ignoring the problems in a system do not cause those problems
to disappear. They just turn on the system designer in the end and can
distroy the whole system.
- -
Mike> Implementing PEM on VMS was published in last years Internet
Network Security and Privacy conference proceedings.
Is there a more complete reference, I'd love to go look it up? Does it
describe what user's responses were, the application, or how they used
it?
- -
Mike> PEM itself is easy. Setting up infrastructure and changing
organizational behaviors is difficult.
Boy - you sure have that one right brother!
Peace ..Tom Jones