It's a pity to see this issue
surface at this time, relative to the standards process, but if
customer interest is just surfacing one cannot blame the process.
I agree. I remember wondering if dropping support for symmetric
encryption was going to be a problem, but couldn't come up with a
reasonable reason to keep it (aside from esthetics :)).
However, by starting to get some actual customer feedback, I've
disovered a new data point (in other words, in the immortal words of Arlo
Guthrie, "there was a *third* possibility that we hadn't even counted
upon"). That new data point is that setting up an organizational
public key infastructure is hard and/or expensive. There turns out
to be a few classes of organization for which key management via public
key certificates is unattractive. Some simply don't want to bother,
and are satisfied with manually managing encryption keys or pass
phrases for particular channels. Some already have a security policy
which handles symmetric keys but not public key certificates. At
least one potential customer wants encryption, out of band key management,
and repudiability. This last one is hard to do with certificates :).
Surprised the heck out of me, but now I'm trying to figure out how
to meet the demand.
However, I doubt that
the PEM "installed base" (which is not all that big in the U.S.) will
be prepared to interoperate.
So far, the feedback I've gotten is that this isn't a primary concern (this
is why the MOSS-style approach is just as viable for my purposes at the
moment). I just figured that if someone else was doing something similar,
I might as well not re-invent the wheel. If no one else is actually doing
this, well, at least it's a very small wheel, and I'll be happy to document
it just in case :). I certainly don't think it's worth jeopardizing the
progress of MOSS as a standard. Clearly as certification services become
more prevalent, it'll be the way to go in most cases.
Although I wonder what happened to the USPS guys--they were raring to go
earlier this year, but I haven't heard a peep about their certification
services plans for a while now...
Amanda Walker
InterCon Systems Corporation