Sorry about my last posting -- I constructed it outside of my user agent with a
non-MIME-aware editor and as a result I left a bogus content-type header in
place that will probably confuse things terribly.
Stupid of me, really. Maybe it will teach me not to bypass my MIME UA and try
to do it myself...
Anyway, here's what I intended to write:
Anyone else here wonder when the authors if the S/MIME fact will
substantiate their claim that two MOSS implementations might not
interoperate or remove that claim from the FAQ? Somehow the implied
deficiancy has not been raised and this is the list for just such
discussions.
I wonder about this myself. I also wonder about the claim the S/MIME authors
have made that multipart/alternative is more likely to be supported by a given
MIME agent (this despite the fact that full support for selecting between
alternative parts is not a requirement for MIME conformance) than is the
fallback for the interpretation of unknown subtypes of multipart to
multipart/mixed (this despite the fact that this is an absolute requirement
for MIME conformance). I have yet to see a single, solitary example of
an agent that works the way the S/MIME claim posted to the list, unless you
count my own posting of an unconfirmed rumor I heard about an early version
of Netscape that didn't even handle multipart/mixed correctly!
I am also amazed about the nature of some of the arguments that are being used
here. Early in the development of MOSS there was some prose in the document
about how a user agent might signal a security service as to what security
enhancement to perform. This material was roundly criticized because it would
not be unreasonable to expect someone to set things up where the services were
separated by an unsecure path and the signal could be tampered with. I argued
that such a setup was not reasonable, but I was overruled and the prose was
removed. And if memory serves some of the people making that argument are the
same ones supporting S/MIME now.
Yet when I describe a perfectly reasonable implementation model for security
services and show that S/MIME is not secure when used in such an
implementation, I am told that this isn't a problem because there won't be very
many sites that use such a model! This seems more than a little inconsistent
to me. What has happened to our high standards for the implementation of
security services?
I also wonder, as Dave Crocker does, about the nature of the process that has
brought S/MIME into being.
Ned