By WEB, do you mean MOSAIC, FTP, telnet, or all the above? Certainly, e-mail
is only a small part of the internet. One point I was trying to make is that
there is a degree of commonality in the security requirements of e-mail, MIME,
http, ftp, and other applications. We should be able to define a common
security encapsulation usable by these applications. I listed the reasons for
this in my earlier message.
We should have interoperability at the key certificate level certainly, and
there should be no glaring incompatibilities. But the idea that there should be
a common encapsulation is simply wrong. HTTP is moving towards being an
interactive protocol, it is in any case BY NON-NEGOTIABLE DEFINITION 8-bit
clean. The Web attitude to 7bitters is simple "sod off - we don't need you". I
don't think that the eMail community can afford that attitude. Putting text
into
Base64 or cannonicalising it is simply irrelevant in the Web area.
Agreed. I think successful, consistent implementation of the secure versions
of these products is critical to their success. I also agree this is a
cumbersome problem. That's why we shouldn't solve the problem more times than
we have to.
But where is the evidence that we have "solved problems"? A problem is not
solved until the product is in ubiquitous use. PGP is the only mail privacy
product that can claim anything like that and even then the usage is miniscule.
The real PEM/WWW concern is that browsers be able to reuse the maximum amount
of
code between the Mail privacy and HTTP privacy modules. Taking out a few calls
to do base 64 or canonicalisation lossage is not difficult.
I think there are (or were) reference implementations of PEM. The thing that
made it difficult was the CA management and export issues. This was the other
point in my first message.
PEM certificate management and trust model is related only to email. It is
sufficient to know that the person is or is not the who they claim. The Web
will
be used for much more complex operations and the question of CA liability comes
in. The binary trust model of PEM and PGP is completely unworkable in this
arena. Authenticating parites must have a mechanism that allows them to limit
the extent of their liabilities. In an institutional setting this becomes even
more complex.
Export issues are practically irrelevant so far as the Web is concerned. Most
of
the work on the common library is currently being done in Geneva.
I suspect that PEM and MIME will start to take off as soon as there are editing
Web browsers.
Phill Hallam-Baker