On Fri, 23 Feb 1996, James M. Galvin wrote:
At 3:55 PM 2/19/96, Raph Levien wrote:
That said, I'd like to emphasize a point made by the S/MIME FAQ. It says
that "MOSS can be thought of as a framework rather than a specification,"
because it fails to specify certain details such as the cryptographic
algorithms.
Surely you realize that the S/MIME FAQ is hardly a source of objective,
factual statements about a competing technology. For example, MOSS does
specify which algorithms to use. It points to RFC1423.
Yes, I do recognize that. I was under the impression that MOSS was
"fully" modular with respect to encryption algorithms. Now you're
you're implying that it is not, that it requires the RFC1423 algorithm
suite as a minimum for interoperability.
If true, one consequence is that there could not be an exportable version
of MOSS. I'm not saying this is bad (in fact, it is probably good, on
balance), but it is an implication.
But I'd like to address the question in another way. I believe there have
been MOSS implementations with Fortezza algorithms (or the Mosaic suite,
or whatever they're called). Do these also implement RFC1423? If yes, then
I'd like to retract my statement. If not, then I'll stand by it.
If Jim Galvin's feature matrix is to be extended, then I'd like to add
three items. "Interoperable" means that two implementations conforming to
the standard are guaranteed to be able to communicate. "Interoperable
implies secure" means that there exists a lowest common denominator
algorithm implemented by all conforming implementations which has a
reasonable minimum keylength. Finally, "Exportable" means that there
exists a choice of algorithms that is exportable. Currently, the latter
two categories are mutually exclusive.
To fill in the matrix,
PGP MOSS PGP/MIME S/MIME MSP
Interoperable + ?(1) + + ?
Int=>Secure + +
Exportable + ?
(1) = this is the question raised above.
MSP - I just don't know, partly because the spec is still in flux.
Raph