How do people feel about the status of the PEM RFCs. I assume noone
is acting to push them through IESG standards processes. Is it
acceptable IETF behaviour to simply use an RFC, and not
pursue standardization processes?
The developers need a home to discuss, advance etc. Would it be
acceptable to have this PEM-centric forum located in W3C, versus IETF?
AS IETF has kind of "done with" PEM (with a certain amount
of disillusionment and its replacement with the totally revised
MOSS), could others take over its technical furtherance without
causing any inter-body acrimony?
Anyone have any opinions they would care to share?
I think you may be assuming motives which are not there, although a certain
amount of politics surround any security-related activity.
First of all, working groups exist to produce RFCs, which may or may not become
standards. PEM exists, and can be used by anyone who wants to provide its set
of services in an RFC 822 environment. I don't see what a PEM working group
has left to do, except perhaps for any final edits requested during the final
phase of standardization.
Now, the same group of people may well continue to work together, and in fact
form working groups for related (or even unrelated) purposes. In effect, this
is what happened with MOSS, and what I expect to happen in the future.
However, this doesn't necessarily mean that it can, or should, be done under
the auspices of the IETF PEM Working Group per se. One thing that the IETF
structure tries to avoid (with varying degrees of success) is the creation of
committees with indefinite extent. The PEM working group, despite the
production of some very fine work (both PEM and MOSS) is an example of on which
threatens to become such a committee. It's far from the only one, of course--I
think that the HTML working group is actually in much worse danger of becoming
a perpetual motion machine, but that's a topic for another mailing list.
If PEM is being used, great. That's the whole idea behind the standards
process. I would, in fact, be rather surprised if folks like VeriSign
*weren't* using it. No sense reinventing a wheel when you don't have to, and
PEM is a pretty good wheel for what it does.
MOSS isn't a "replacement" for PEM, as I see it. It's a *different* scheme,
which provides a different set of security services over a different domain.
For some of us (namely, MIME software vendors :)), it's a more useful domain
and set of services, but this doesn't mean that PEM should be abandoned. Far
from it. In fact, it's the best thing out there for what it does provide.
Amanda Walker
InterCon Systems Corporation