S/MIME

Ned writes:

S/MIME has a major security hole in it -- a hole so big that people can 
practically drive a truck through it


Thanks for the objective, technical comment that is so characteristic of 
the discussion on this list.  (Just like old times).

I expect to see lots of environments use remote verification services for 
signatures, where messages are forwarded to a remote verifier.


I suspect that this will not be the case, but alas, the market will decide 
for both of us.  Also, I can't imagine why a remote verification service 
can't return to the client the verified text.  Perhaps you have some 
additional insight into how such remote verification services will work.

While we're on the topic of multipart/signed versus multipart/alternative, 
I'd like to bring up the next point that was made during the architecting 
of the S/MIME spec.

The multipart/alternative construct was deemed more useful for backward 
compatability to non-MIME readers.  This is because the "alternative" part 
is in readable ASCII.  The use of multipart/signed infers a requirement 
that the "signed" text be transported from sender to recipient intact.  In 
practice, this would cause a tendency to encode the text for transport 
rendering it unreadable by non-MIME readers.

<Prev in Thread]	Current Thread	[Next in Thread>
S/MIME, spock <= Re: S/MIME, James M Galvin Re: S/MIME, Mark S Feldman Re: S/MIME, Ned Freed Re: S/MIME, Valdis . Kletnieks Re: S/MIME, Richard . Ankney Re: S/MIME, John W. Noerenberg Re: S/MIME, Dave Crocker Re[2]: S/MIME, spock Re: Re[2]: S/MIME, Valdis . Kletnieks Re[3]: S/MIME, Paul Rarey

Previous by Date:	Re: Kerberos v5's experience with ASN.1, Carl Ellison
Next by Date:	Re: why is MOSS not yet an RFC?, James M Galvin
Previous by Thread:	why is MOSS not yet an RFC?, RL Bob Morgan
Next by Thread:	Re: S/MIME, James M Galvin
Indexes:	[Date] [Thread] [Top] [All Lists]