Steve> I don't think there will be much room for people to be fooled. If
there a few incidents, we'll see rapid increase in awareness. I'm not
worried about spoofing of automatic programs that read mail; they
should be written to know what's in versus what's out of the message.
Jeff> Programs should run against the output of the de-enhancing program.
Perhaps I'm am not the norm, but I have at least five different mail
programs that I use depending on where I am and which of several
systems I access. We even have one service where the messages are
printed on paper prior to delivery due to a missing link between
two systems. Each has their own set of header messages that they
pass thru to the user.
The PEM standard and the comments above seem to attempt to standardize
"inside" of mail systems. This can never work due, in part, to the
large existing base and, in part, to the new technologies (eg Magic Cap)
that insist on their own presentation image. To the extent that the
PEM (or PGP) standards rely on defining the presentation image of the
message, they will fail. New implementations will, and should, be bound
by customer issues rather than security details that will, in all
probability, not even be read by the implementers of the new systems.
Even NIST has decided to standardize, and certify, only the
cryptographic module.
The PEM and PGP solutions are both flawed IMHO by attempting to fix
a protocol problem with an overlay that will get mislaid in future
implementations.
Peace ..Tom