On Tue, 13 Dec 1994, Theodore Ts'o wrote:
An argument can be made that they shouldn't be allowed to try
alternative trust models, and the standard should actively make it
impossible to do so. In other words, "we're Big Brother, we know what's
right, and when we want your opinion, we'll give it to you." The U.S.
government tried that with Clipper, with disastrous results. For that
reason, I believe MIME-PEM is on the right track. Otherwise, PEM has
the danger of becoming largely irrelevant.
Hear, hear!
Six months ago I was looking at implementing PEM to help curb the PGP
invasion and use something a little more standardised in my own
software. My software is still in development (lots of other things to
do in other subsystems), but now I'm thinking: to heck with it, support
both and work on merging the two trust models.
Currently, the differences in key formats between PGP and PEM are merely
annoying: the important thing is the _key_, not the way you name the key.
X.509 is a dead loss until such time as X.500 becomes a lot more
universal. It may have the flexibility, but it doesn't have the
simplicity to bootstrap ourselves up to wide acceptance quickly.
I believe that the goal for the working group in the next year should be
to find a way to make the signatures on clear-signed messages the same no
matter whether PEM or PGP is used. This means harmonising the key
formats, at least to the point where extracting the public key component
is easy for both the PEM and PGP models, and choosing a standard MIME
multipart structure for containing the clear-signed message and its
signature. Once this has been done, the working group should move onto
harmonising the encryption schemes so both PEM and PGP support the same
encryption schemes, and then move onto scaling the trust model up to huge
proportions.
IMHO of course.
Cheers,
Rhys.
--
Rhys Weatherley, Queensland University of Technology, Brisbane, Australia.
E-mail: rhys(_at_)fit(_dot_)qut(_dot_)edu(_dot_)au "net.maturity is knowing
when NOT to followup"