OK, here's a question that has come up before, but that I now find to be
of more immediate importance than I did a year ago:
MOSS does not provide symmetric encryption services. PEM does, but does
not support MIME message bodies. What should I do to provide symmetric
encryption of MIME message bodies or message elements?
There seem to be three basic approaches:
(1) Use PEM as-is, and just watch for MIME headers in the ecapsulated
header area.
(2) Extend PEM with "Content-Domain: MIME", in which the PEM payload
payload would be interpreted as a MIME message element, not as
an entire message [as in (1)].
(3) Extend MOSS to allow symmetric as well as asymmetric encryption in
security multiparts.
After some thought, all of these would serve approximately as well as the
others for my immediate purposes. Does anyone have any thoughts on the matter,
and if so, which approach would have better implications for interoperability
and future deployment?
For that matter, if there are other approaches with clear advantages, I'd
be interesting in hearing about them as well.
I realize that asymmetric encryption (notably RSA-encrypted DEKs) gets most
of the attention, but we've had some requests for symmetric encryption, in
which key management takes place through existing out of band channels
rather than through public key encryption. This also has the advantage of
being deployable without royalties, which is important in low-cost products.
Thoughts? Catcalls :)?
Amanda Walker
InterCon Systems Corporation