My assessment of the "failure" of PEM is different than yours,
perhaps because of a different perspective of the market.
In my view, PEM failed because it was not deployed in a timely fashion.
It depended on an infrastructure that was not built, and does not yet exist.
This lack of deployment is the mistake we are in danger of repeating. If we
repeat it, everything else is moot.
I don't mean to dismiss the PGP users out of hand. But on the other
hand, I don't see any great wave of PGP encrypted or signed
messages flowing over the net, either.
I do. In between Email World and the IETF this month I stayed with a friend
of mine who happens to be a leading fiction copy editor. She uses PGP to send
pre-published manuscripts back and forth with her publishers over the
Internet, and says that there's a *lot* of interest in PGP in that industry.
They've never even heard of PEM. Nobody's promoted it, nobody's deployed it
until very recently, and the infastructure for it still does not exist.
And I do't see anyone in
corporate America, in the EDI or Electronic Commerce area, in
the electronic benefits and tax filing areas, or in the federal, state
or local governmental level adopting PGP to any significant degree.
EDI and governments are not the only arenas where PEM is applicable, and they
are not representative of mass-market applications.
EDI is based on contracts, drawn up in advance, and is very concerned with
authorization, roles, and so on. Certificates are perfect for this. However,
the mass market does not seem to want electronic commerce according to the EDI
model, they want it according to the credit card model. No prior arrangement,
ad hoc transactions, instant clearing. For this, certificates are close to
irrelevant, although they are useful for setting up persistent accounts.
The same is true of governmental and tax/benefit models. For these contexts,
certificates are great and useful things. For sending love notes, letters
home to mom, ordering something from MacWarehouse, and such, X.509
certificates are not as useful as things like First Virtual or CyberCash's
payment systems.
And that is my fundamental objection. Maybe we shold call it PGP/MIME?
Certificates are useful for many things. Certificates are not useful for all
things. MIME/PEM is a general-purpose mechanism upon which certificate-based,
ad-hoc, or other authorization and trust models can be built. It does not
preclude anyone from using it for EDI. It also does not require anyone to
jump through EDI-style hoops just so they can order a coffee mug over the net.
Mechanism, not policy. MIME/PEM is a format. It is a piece of
infrastructure. It is not sufficient infastructure for many PEM applications,
but it is a necessary subset that is shared by most if not all PEM
applications.
What is wrong with approving this necessary subset, even though it is not all
things to all users?
Completeness is not necessary for utility.
Amanda Walker
InterCon Systems Corporation
PGP Key fingerprint: 594F63C03B52DC4E37E9160DE733CD87
PEM MD5OfPublicKey: 8E4A21B7025943DE2EDC7CC038B3D6B1