I was lying awake last night and this morning trying to think about how
to phrase my objections nicely, but you've said it perfectly.
I'm not sure we agree on the implications, though.
If we
had simply replaced RFC 1421 with an enhancment to add security to
MIME body parts, I think that the result would have been met with
acclaim.
The MIME/PEM proposals, by my reading of them, do exactly this. They provide
an alternative representation of the same things that RFC 1421 can
represent. They also provide the mechanism for a superset of the policies
in RFC 1422, but I again am strongly in favor of separating policy from
mechanism.
Alternately, we could have fixed some of the problmes that
were slowing down the adoption of PEM, and that also would ahve been
well received.
This seems, in fact, to have been the motivation for MIME/PEM in the first
place.
Unfortunately, instead of adopting that rather simple solution
and preserving all of the work that had been done to date, some of
the folks at TIS decided to combine all of the benefits of
southern efficiency and northern charm (can your beer do this?) into
one indigestible system with flaws that are now perceived as
rather serious, at least to a significant portion of the user community.
I don't quite see it this way. I see an attempt to actually build something,
only to be confronted by a wall of "Not Invented Here." TIS deserves a lot of
credit, in my book, for actually building what they are proposing. We can all
want whatever we like, but someone has to put fingers to keyboard and write
the software. And right now, my impression is that the people who are willing
to do so (me, Ned, Jim, etc.) are being blocked by people who want us to build
their personal castles built in the air instead.
No offense meant to anyone here, but I find this *extremely* frustrating.
It is also unfortunate that it is those large customers who are
most likely to benefit from the use of complex MIME structures for
moving forms and electronic doucments around, rather than the AOL
newbies would wouldn't be willing to pay for commercial quality
services in any case.
It's those AOL newbies who are the biggest market for the services we're
discussing. EDI will trundle on its merry way even if we don't come to
closure, as will the Post Office (who'll probably ignore the Internet
altogether and decide that X.400-84 is the One True Way), and so on.
It's the mass market that will be affected by what we do here more than any
other community.
Vendors such as you and Ned would therefore seem to be on the horns of
a dilemma -- you have presumably invested substantially in a product
that doesn't seem to fit either marketplace terribly well.
Right now, the biggest hole in our products are security services. That's why
I am spending hours at a time reading pem-dev and trying to contribute to
getting a proposed standard in place. I am not doing this because I like to
see my own words come up on my screen.
Is it absolutely too late to try to turn back the clock, salvage
the excellent work done in the MIME area, and graft it back on to
an mildly extended RFC 1422 certificate-based processing scheme along
the lines I sketched above?
Well, we could nuke the new key management stuff, endorse self-signed
certificates as an alternate security model, and leave the rest unchanged. I
would have no problem with this.
The clock is ticking, though.
Amanda Walker
InterCon Systems Corporation