As a start, we could enumerate the object security requirements of the
existing
applications and get some idea of the scope of the problem. However, to be
successful, this needs to be more than an academic exercise. We need buy in
from the application developers in particlar and the internet community in
general.
Phil Smiley
One of the (secondary) goals of PEM from the beginning was that a PEM message
could be delivered by sneaker net, as well as by mail. We have occasionally
perverted that goal somewhat, for example by building in assumptions about the
kind of transport media (7 bit or 8 bit), and by considering/allowing/requiring
a user's e-mail address as part of the certificate structure, but these are
relatively minor objections.
We already have an extremely significant buy-in from the folks at Apple, who
built in digital signatures that were intended to be PEM compliant into their
basic operating system kernal, although because of parallel development efforts
they may have diverged slightly. We need to encourage Microsoft, Lotus, and the
other major players to do likewise, and we should be prepared to modifiy our
efforts to use PKCS or whatever other varient the market seems most disposed to
use.
I think that we should be more concerned about the computing community as a
whole, rather than that subset which are Internet users per se. Having said
that, however, I have no objection to developing some of these ideas under the
auspices of the IETF, as opposed to ISO, OSF-DCE, etc.
Bob
--------------------------------
Robert R. Jueneman
Mgr., Secure Systems
Wireless and Secure Systems Laboratory
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Internet: Jueneman(_at_)gte(_dot_)com
FAX: 1-617-466-2603
Voice: 1-617-466-2820 (rolls over to cellular and/or my house
if no answer -- have patience)