>From: Dave Crocker <dcrocker(_at_)mordor(_dot_)stanford(_dot_)edu>
>Subject: Re: PEM = Protected Electronic Mail
>Date: Fri, 24 Jun 1994 13:38:50 -0700
>I believe it is reasonable to view the current round of effort as having
>some significant differences from most of the previous efforts, in terms of
>encompassing a more, ummmm, diverse set of solutions.
The group approached melt-down before the last IETF meeting, based on the
differences in what the various parties want PEM for. basically, there
was market sector fragmentation between personal private mail, and
business mail assured for use in commercial functions.
The dominant TIS-PEM and MIME product group have a market, and seem
(woops) to want the IETF PEM group to support its promotion and assist
the market creation by piloting etc. They clearly see a market in
unassured, application-oriented, free RFC822 named/addressed, "ad hoc"
bilateral and personal security based on partial exploitation of the
former-reference implementation (TIS-PEM) and allied product software
suites. Based on a thousand hours of argument, they pursuaded
themselves, and many other on the list, that this was where the
Interent users use of PEM-type technology was going (based on the
growth of PGP and PGP-servers, and the success of other bilateral
key-exchange systems in other protocol scenarios).
The group couldn't agree that this was the right thing to do, so
fractured. The vast majority of the former work required to practically
achieve the objectives which PEM was designed to achieve has moved away
from the IETF, and the former proponents of an assured key-management
system for organizational and individual messaging are proceeding in
consort with a wide variety of user groups and nominal service providers who see
non-repudiation as a vital factor in use of the technology for
commerce. The new axis for the group doesnt seem to need a lot of discussion;
rather for the implementors to just get out there and use/pilot/sell it in
competition with PGP.
Now, the Internet Society was reported to now have bugetted for the IPRA
Safekeyper (and presumably has ordered it), and can be presumed to be
getting itself organized to offer the associated service to its member
organizations. Its unclear whether this is for the benefit of the
former or latter concept, or whether it will support other working groups'
needs for an asymmetric key-management system. Perhaps I missed the mail
discussing all this, and who will operate the service in practice; how
things were fairly and openly decided, etc; it happens.
Have I summarised PEM fairly? Toronto meeting is approaching, and apart from
the technical review of PEM traversing the MIME world safely, do we have
any other things to decide and take forward? There were a number of
I-Ds, and detailed mail proposals which might be acted on, both
for the former PEM objectives, and for the newer ad-hoc messaging and
message-store/applications-of-messaging security needs now being addressed?
If nothing else, the table needs clearing of dead wood (infamous pun), to know
the new agenda, now that the PEM dust from the last IETF has settled a little.