-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
HbGVud29vZA==,03
MIC-Info: RSA-MD5,RSA,VtRV34S1/8jBUqZrhpzNhlaWAJ8q5qFy/rHEh6fye38
Fu6L4QtVW3RC3qSoILuLw8Ce17cMo08mlypfiTFEgRkzU/D078KKiCy3Qq5C3yra
5tYQiFpSPfgYnrb9gZ6tr
With respect to the text in RFC 1421 quoted below, one reason
confidentiality is mentioned last is pedagogical. The protocol is
structured with confidentiality optional but authentication, etc.
always included. IT's natural to describe the protocol with the
required elements first and optional elements after that; I don't
think it reflects any specific priority.
We've had cause to consider authentication vs confidentiality from a
different perspective, with the following conclusion.
Confidentiality is most most meaningful among fairly small groups.
The typical case is a group of two to ten people who know each
other and want to exchange mail that has some sensitivity. Large
scale use of PEM for confidentiality is thus characterized as
large numbers of small groups.
In contrast, authentication is of high priority in large groups in
which the members are not in frequent and close communication.
Examples include large corporations, inter-company communications
and public news groups.
Early use of PEM is likely to be among small groups who perceive a
need for confidentiality and therefore exert the energy to install and
use PEM. As PEM becomes more widely available, the authentication
aspect will become more important. It's not surprising, therefore,
that a survey of prospective early users might focus more on
confidentiality than on authentication. Most likely, their answers
would depend on whether they are considering how they would use PEM
themselves versus how they see PEM being used more broadly.
Steve
Sender: pem-dev-relay(_at_)TIS(_dot_)COM
From: Doug Porter <dporter(_at_)well(_dot_)sf(_dot_)ca(_dot_)us>
To: pem-dev(_at_)TIS(_dot_)COM
Date: Thu, 5 Aug 1993 03:48:43 -0700
Subject: Is PEM meeting our goals?
An even 75% of respondents want PEM to enhance privacy most. Not a single
person said they wanted liability most.
From RFC 1421:
"Authentication, integrity, and (when asymmetric key management is
employed) non-repudiation of origin services are applied to all PEM
messages; confidentiality services are optionally selectable."
How well does this fit our goals?
Doug Porter
-----END PRIVACY-ENHANCED MESSAGE-----