>MOSS is designed to overcome the limitations of PEM by
>handling MIME messages and being more liberal in the
>hierarchy requirements. But MOSS has so many implementation
>options that it is possible for two independent developers
>to come up with two MOSS mailers that will actually "talk"
>to each other. MOSS can be thought of as a framework rather
>than a specification, and considerable work in
>implementation profiling has yet to be done.
This paragraph, in the best case, is misleading.
To be more precise, the three "limitations of PEM" that MOSS does
differently are as follows. Please note, none of this makes PEM wrong
or broken, just different.
1. PEM is for text-based email. MOSS, because of its integration with
MIME, is for arbitrary data contained in a MIME object.
2. PEM only allows for the encryption of a signed object. MOSS
separates the two services of encryption and signature so that they
may be combined in arbitrary ways.
3. PEM depends on X.509 certificates. MOSS depends on public keys,
although it also supports certificates, of course. An implication
of this is that MOSS makes public key validation and independent
event, in contrast to PEM which requires participation in the
Internet Certification Hierarchy.
As for implementation options, there aren't any I can think of. The
entire spec must be implemented for conformance. There are, however,
two sets of options available to users.
1. Choice of algorithm - MOSS references RFC1423, which requires RSA,
DES, MD2, and MD5 as the Internet standard set today. Of course,
this is subject to change for any number of reasons. The algorithm
choice may also change based on context, e.g., for example the US
Government has its own set of algorithms.
Yes, if two users do not support a similar set of algorithms then
they won't be able to communicate. This applies to PEM and S/MIME,
as well as MOSS.
2. Choice of identifier - MOSS allows a user to choice the form of the
identifier they wish to use for labelling their public key. It is
true that if a user chooses several identifiers for the same public
key and then randomly sends one to various recipients, there is
potential for some confusion. However, the confusion is fixable, by
users, with no software changes.
Finally, MOSS is no more a framework than PEM is, since it is a PEM
derivative. It is a protocol that provides digital signature and
encryption services to MIME objects. The multipart/signed and
multipart/encrypted that MOSS makes use of is a framework, which even
S/MIME could (and arguably should) use.
Jim