Since there is no new material to review, I question your motivation to
delay calling for a vote until late December or January, especially
considering that an implementation already exists.
Is there more then one implementation to demonstrate interoperability? If so,
what modes of operation do they use?
My company has been attempting to install PEM internally. PEM had some flaws,
but generally provided a fairly complete set of workable specifications. The
new draft is flawed and I see few reasons to implement the new PEM-MIME.
The new draft (draft-ietf-pem-mime-07.txt) is a radical departure from the
original PEM RFCs (1421, 1422, 1423, 1424). It has many new modes of operation
that will complicate the creation of interoperable implementations. The
internet draft does not adequately describe what are the minimum m requirements
for a conformant implementation.
The new name forms, identifiers and trust models represent some interesting
technical ideas, but they are presented out of context from the problems they
originally were intended to solve. They provide a variety of ways to solve
issues with the earlier PEM RFCs, but create too many ways to build a system.
It is also interesting to note that there is no mention of PGP in the text of
the draft. Many of the changes from PEM to MIME-PEM-07 were made mimic the
trust model and functionality of PGP. Why not admit in the specification that
PEM has been modified to use PGP public keys? Or am I wrong on this
interpretation...
Paul