Aha. This is precisely where I think MIME/PEM is a step forward. Classic PEM
made assumptions about the content it operated on, while MIME/PEM makes far
fewer, thanks to MIME.
To the extent that PEM made any assumption regarding content, I think it was a
mistake. I also feel that PEM (including PEM/MIME) should be independent of the
transport mechanism, which is why I'd rather see the 8-bit compatibility issue
dealt with elsewhere. But I won't fight to the death over that issue.
It also, by removing the requirement of using X.509
certificates rooted in the IPRA (which itself was only quite recently set up),
or in fact of using X.509 at all, removes key infrastructure concerns from PEM
itself.
I agree that we can move forward by ducking some of these hard issues at the
moment. I have a difference of opinion as to the suggested mechanism for
accomplishing that, and would prefer the use of user-signed certificates,
rather than abandon the use of certificate entirely, as I said in my lengthy
message to Jim Galvin.
MIME/PEM, by my reading of it, narrows the focus to just one of
representation, algorithms (though even this is open-ended), and how to
construct MIME objects which contain content, encrypted content, and/or
signatures. It leaves the object management to MIME or other, higher-level
mechanisms, it leaves key infrastructure as a separate problem, and it brings
privacy enhanced mail into representational parity with cleartext mail.
If we can achieve that, those are laudable goals.
and eat the whole pig all at once, as it were.
To the contrary; I think that it pushes the whole pig aside and says, "why
don't we just eat this pork chop to hold us over until the whole pig is done?"
MIME/PEM is attractive to me precisely because it doesn't try to solve
everything at once; it just puts a stake in the ground where we have reached
substantive agreement.
The proposal as it stands may have some lingering ambiguities, to be sure. I
would strongly prefer to work on them and get it out the door than to keep
trying to widen its scope, however important the wider scope may be.
I'd be shipping PEM software right now into mass-market channels if I had a
standard that coexisted workably with MIME. This is of far more than academic
concern to me. Policy models can come later, as far as I am concerned. I
want the cryptographic and representational issue nailed down now, since I see
substantive agreement at that layer.
If you as a vendor are seriously prepared to move forward with an integrated
PEM/MIME capability, then I would withdraw my objection to trying to do too
much at one time. Up till now, I have had enough problems trying to get a
vendor to offer one of these capabilities (MIME, PEM, X.500 directory
integration), and I thought that it would be too much to ask for everything all
at once.
When can I buy one?
Bob
--------------------------------
Robert R. Jueneman
Staff Scientist
Wireless and Secure Systems Laboratory
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Internet: Jueneman(_at_)gte(_dot_)com
FAX: 1-617-466-2603
Voice: 1-617-466-282