On Tue, 27 Dec 1994, Ali Bahreman wrote:
Technically, I agree with you. MIME-PEM is yet another format for
secure e-mail messages. It happens to be MIME and it happens to use
some sort of public-key mechanism. It could have easily been designed
for PGP which I truly think should have been the authors' first
attempt at integrating security with MIME (it's not too late).
Afterall, there is the preception that PGP is or will be used more
than PEM.
Some of the PGP ideas have influenced MIME-PEM. That's not an indictment
of MIME-PEM, but rather an indictment of Classic-PEM that did not think
of including certain features that in hindsight proved necessary.
MIME-PEM does nothing to solve the inherent difficult problems as seen
by classic-PEM namely, the requirements for the security services, user
interface and transparency, and does little (except for specifying
cert/crl retrieval messages) to provide a key/crl mangement structure
for pk information retrieval.
Classic-PEM is in 4 parts: procedures, key management, algorithm
identifiers, and key certification. MIME-PEM replaces part 1 and adds a
little more flexibility to the key identification bits of part 2. All
else is the same. Any nifty key/crl management features of Classic-PEM
are also present in MIME-PEM.
MIME provides a user interface and transparency model that completely
walks all over Classic-PEM. Classic-PEM, like PGP, uuencode, binhex, and
half a million other formats, is a hack that did the job at the time but
does not scale well to today's messaging needs which go beyond simple
text.
Be that as it may, for 99% of MIME-PEM messages it will not be necessary
to have a full MIME implementation. The difficulty of hand-crafting a
mini MIME parser that just understands the MIME-PEM bits would be on the
same order of difficulty as hand-crafting a Classic-PEM parser. Since I
expect that most PEM implementations will do this in short order, what
are you worried about?
People, the clock is ticking here. The PGP crowd is apparently also
looking at MIME integration. Whoever gets there first (PEM or PGP) and
wins over the bulk of the MIME implementators will win this race forever
in the eyes of the users. We can rant and rave all we want about the nice
features of PEM, but they will be _irrelevant_ if we cannot integrate them
with MIME and soon. The users are demanding MIME, not hacks. Every extra
day that MIME-PEM is delayed is an extra day that I have to pull apart PGP
and think about how to support MIME-PGP instead.
Cheers,
Rhys.
--
Rhys Weatherley, Queensland University of Technology, Brisbane, Australia.
E-mail: rhys(_at_)fit(_dot_)qut(_dot_)edu(_dot_)au "net.maturity is knowing
when NOT to followup"