Alireza Bahreman writes:
1) Comparing PEM with the WEB is like comparing apples to oranges.
PEM is much limited in scope and only deals with secure e-mail while
the WEB deals with all kinds of information and resources, from telnet
to gopher, and more. The WEB obviously enjoys more usage because it
offers more services albeit unsecured.
By WEB, do you mean MOSAIC, FTP, telnet, or all the above? Certainly, e-mail
is only a small part of the internet. One point I was trying to make is that
there is a degree of commonality in the security requirements of e-mail, MIME,
http, ftp, and other applications. We should be able to define a common
security encapsulation usable by these applications. I listed the reasons for
this in my earlier message.
I would also agree that the security requirements for ip and telnet are very
different from the applications mentioned above.
2) While it has been shown that the unsecured version of the WEB has
been embraced relatively fast, it is not immediately obvious that the
secure version will be embraced at comparable rate. This is because
security is cumbersome for ordinary users and there are issues still
open such as the key management, performance tradeoffs (packetization
of encrypted data and incremental integrity checking), and last but
not least the prospect of standardizing competing proposals.
Agreed. I think successful, consistent implementation of the secure versions
of these products is critical to their success. I also agree this is a
cumbersome problem. That's why we shouldn't solve the problem more times than
we have to.
One of the *major* disadvantages of PEM was the lack of a free, GUI,
easy to use interface available on *all* platforms and for all e-mail
packages currently used by all users. In other words, we chose to
secure a difficult application. The WEB on the other hand became
successful because they addressed this GUI issue. I don't think that
the X.509 or CA infrastructure stoped or is stoping PEM (technically)
and I don't think that introducing MIME-PEM will change that because
it makes it harder for non-MIME aware mailers to integrate security.
I think there are (or were) reference implementations of PEM. The thing that
made it difficult was the CA management and export issues. This was the other
point in my first message.
Perhaps the market drive (electronic commerce) will provide a greater
incentive for people to secure the WEB than e-mail using PEM/PGP. I
think this is a key factor in what is to come....
I agree that market drive will provide incentive for shttp, PEM, PEM-MIME and
other applications. I'm not sure what you mean by "secure the web". Do you
mean things like ipsec will eliminate the need for PGP, PEM, etc? I would
disagree with that.
If my response sounds terse, I apologize. I wanted to clarify my position as
quickly as possible.
Phil Smiley