Based on a recent posting by Peter Williams, I detect a great deal of
turmoil that has not be reflected on this mailing list. Is it the case
that politics is now dominate and the technical discussion will be held
in abeyance until the "real" solution appears from the proverbial
"smoke-filled room"?
Since I have been following this list, I have noted, on several
postings, that I could never determine the purpose nor the scope
intended for PEM. That made it extremely difficult for me to evaluate
any statement made here --- I had no frame of reference. Now most
participants came with their own agenda, so they had no problem making
judgments.
- - - -
Peter Williams>... basically, there was market sector fragmentation
between personal private mail, and business mail assured for use in
commercial functions.
IMHO this is not a very interesting distinction, business mail is
primarily personal. Perhaps the distinction that is needed is between
legally binding non-repudiation (will probably need DSS) and privacy for
personal and business use (DES or IDEA with some sort of key
management.)
- - - -
Peter Williams> The dominant TIS-PEM and MIME product group have a
market, and seem (woops) to want the IETF PEM group to support its
promotion and assist the market creation by piloting etc. They clearly
see a market in unassured, application-oriented, free RFC822
named/addressed, "ad hoc" bilateral and personal security based on
partial exploitation of the former-reference implementation (TIS-PEM)
and allied product software suites. Based on a thousand hours of
argument, they persuaded themselves, and many other on the list, that
this was where the Internet users use of PEM-type technology was going
(based on the growth of PGP and PGP-servers, and the success of other
bilateral key-exchange systems in other protocol scenarios).
So are you saying that PEM smelled success by aping the PGP model?
Going head-to-head with PGP will probably not be fruitful. PEM needs is
own market niche.
- - - -
Peter Williams> The group couldn't agree that this was the right thing
to do, so fractured.
Perhaps this was in the best interest of the group long term.
- - - -
Peter Williams> The new axis for the group doesn't seem to need a lot of
discussion; rather for the implementors to just get out there and
use/pilot/sell it in competition with PGP.
With no good definition of either the product, nor of the market to be
served, it is unlikely that this will result in any better standards.
- - - -
Lets look at my own take on the market break-down:
1> Military - There is an RFQ out now for DMS. I heard that the big
boys (uSoft and Lotus) were battling for it with versions of their COTS
product with mod's for the TESSERA card. Does anyone have more current
info?
2> Legal non-repudiation - The IRS needs to be able to put people in
jail for falsifying tax returns. They need to accept electronic tax
returns. What's the solution?
3> Business use - Businesses today function just fine with the FAX. If
they want to know whether to ship an order, they check with D&B or with
some of the firms other trading partners. How can we get at least that
level of trust?
4> Personal use - People want to protect their correspondence, whether
its love letters, trade secrets or drug deals. PGP seems to work just
fine, but it makes the government nervous. There is no resolution of
this problem, nor is one possible until the laws of the land change.
Now, my reading from Peter, is that we have people arguing over the
difference between 2 and 3. (Lets assume that PEM will never cut it for
point 4, just for the time being.) Then old hierarchical PEM seems to
solve the problem for 2, but only if the government accepts it. The
problem for 3, IMHO could be solved just fine by PGP, but, apparently,
some of the old line PEM folk want to move PEM in that direction. There
is no competition now for item 2, except that the government can't make
up its mind whether to use DSS or go blind. That means that 2 WILL NOT
be solved until it is time to solve it. (Say the IRS were to start
actually accepting TAX forms with DSS, or with RSA for that matter.) So
if PEM were to work for non-repudiation, it might (or might not) require
some new algorithms, but, in any case, we cannot know until the legal
situation shakes out. So that leaves the people who want to move PEM
forward with 3, but that means that there will be competition between
PEM and PGP. Is that wise, or even necessary?
Peace ..Tom