...
My frustration level with this process is increasing monotonically, because even though this is the second iteration of trying to build a reasonably universal public key infrastructure, the vendors appear to have a vested interest in their current capabilities and code and don't want to change a single line. Again and again we hear that it is too late, that we have to get the product out the door, that we can't include everything, etc., etc., but that's exactly what was said three years ago, and so far we haven't even seen the final draft of the proposed standard!
The MOSS specs provide a reasonably universal public key INFRASTRUCTURE. Digital signatures and confidentiality of arbitrary data is addressed. Room for alternate algorithms is included. A scalable certificate hierarchy is addressed. That's all that's needed for the INFRASTRUCTURE. You want more? Build it on top of the infrastructure. The primary definition for infrastructure from my online Webster's Ninth New Collegiate Dictionary is "1: the underlying foundation or basic framework (as of a system or organization)." We have that. On one hand you argue for a cryptographically secure system. On the other, you want to assign meaning to a "signature timestamp," which is an arbitrary piece of data completely under the user's control. Digital signatures are more analogous to "wet" signatures than you are willing to admit. Dates are part of many documents. Pre- or post-dating certain documents carries certain penalties if discovered. This is part and parcel of the legal status of the document. There is precedence for this. Your "signature timestamp" has no such precedence, no enforceability, either programatically or legally, and no worth. Its value is an illusion. Third party timestamps could be very useful in certain applications and they can be built using the MOSS infrastructure.
There is never enough time to do it right, but there is always enough time (for someone else) to do it over!
There is no need to do anything over. There's plenty of room to build things on top of MOSS. Ever try using the interstate highway system without a car or gasoline? As for vendors not wanting to change things, that's a cheap shot. Implementation of 142x showed us its weaknesses, so we invested in development of the MOSS standard and an implementation. Many vendors on this list have made an effort and are now waiting for finalization (Amanda and Ned come to mind), and that waiting is expensive in the development of something that was needed yesterday. INFRASTRUCTURE != COMPLETE SYSTEM THAT DOES EVERYTHING FOR EVERYONE. What we have is good and we should agree on that and move on. Moving on includes spreading the infrastructure (implementations) and working on services on top of the infrastructure (new services could easily be developed and complex ones could breed new working groups). Mark
binHVO0qAgvbS.bin
Description: application/pem-signature