I am new to this mail security and this group. I was reading the FAQ on S/MIME. There is a paragraph comparing S/MIME to MOSS. Is this accurate statement?
In a word, no.
MOSS is designed to overcome the limitations of PEM by handling MIME messages and being more liberal in the hierarchy requirements.
This is true. Flexibility and extensibility, both in terms of message content and key management, have been added. PEM services were limited to simple text messages. MOSS fits into the MIME model and allows security sevices to be added to any MIME body parts iteratively and/or recursively as makes sense in any context. In addition to supporting the original PEM/X.509 certification hierarchy, MOSS alows bare public keys to be used.
But MOSS has so many implementation options that it is possible for two independent developers to come up with two MOSS mailers that will actually "talk" to each other. MOSS can be thought of as a framework rather than a specification, and considerable work in implementation profiling has yet to be done.
This is the reason for my "no" answer above. MOSS is a specification. A set of specifications, actually. There is no more ambiguity in MOSS than in PEM and there's no reason that anyone implementing from the specifications will not produce a fully interoperable implementation. I can't think of any "implementation options" that would cause incompatibility, unless "implementation options" means not following the specifications. If there's a flaw in the specifications that could lead to interoperability problems, I'm sure the RFC authors would like to hear about it!
Is there expected to be another sample implementation of MOSS besides TIS/MOSS?
Just two days ago, Andrew Young <A(_dot_)Young(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk> posted a signed message to this list using the first part of a MOSS implementation he is authoring. I was able to verify the signature. The only problem with his message, and a simple one for Andrew to fix, was based on misreading the very specific specifications. No ambiguous, incompatible options there. Anyone who had previously authored a PEM implementation should be able to author a MOSS implementation without too much effort. The underlying cryptography is all the same and MIME user agents which will do the MIME packaging and unpackaging exist. There may be more development now that the specifications have achieved proposed standard status. Of course, some folks might be waiting for the new RFC numbers:-)
Thanks very much for your help Adrienne
My pleasure. Mark
binf3vHPiCsQA.bin
Description: application/moss-signature