At 6:50 AM 9/15/95, James M Galvin wrote:
>to each other. MOSS can be thought of as a framework rather
>than a specification, and considerable work in
As I feared, there probably is some confusion between MIME
multipart/security and MOSS.
MIME's Multipart Security mechanism is a MIME specification for
labeling security objects. As such, you can't do security with only this
spec. You need more detail. The technical feature of this specification
is to allow non-security-aware MIME implementations to handle objects which
are signed but not sealed. That is, cleartext is still accessible. This
is not possible with S/MIME. While the cleartext is there, it is labeled
under the MIME application convention and hence cannot be processed by
implementations that are unaware of S/MIME. The S/MIME suggestion for
carrying a redundant copy under multipart/alternative has some problems, as
discussed earlier.
MOSS is a recasting of PEM, as described so nicely by Jim G. It
has core securities features and therefore IS a security specification. It
also allows quite a bit of variance and I can see why that would be
daunting. Personally, I tend to fear combinatorial explosions, too.
That's why specs need to contain minimum conformance requirements, so that
all implementations support at least one level of service available to all.
At the least, we need to get our stories straight. Either
combinatorials are good (S-HTTP?) or they are bad (MOSS?). The community
working on security seems to be rather segmented on this view.
d/
--------------------
Dave Crocker +1 408 246 8253
Brandenburg Consulting fax: +1 408 249 6205
675 Spruce Dr. page: +1 408 581 1174
Sunnyvale, CA 94086 USA
dcrocker(_at_)brandenburg(_dot_)com