Re: FYI: comments on adoption of PGP/MIME standard

Jeff Cook wrote:


I don't understand the comment: "MOSS has already done an effective job of
killing itself, sadly." ...Jeff


   Simply that few people, if any, believe that MOSS will survive the
coming shakeout in e-mail encryption protocols with any kind of
substantial deployment.

   The reasons for this are complicated, and I don't claim to fully
understand them myself, but I'll give it a shot.
   I think the main problem is that its proponents underestimated the
amount of additional work that is required to make a standard viable.
MOSS has a standard and a barely-usable reference implementation. If it
was alone in the field, then that might have been enough. However, it's
going up against competitors that have much more momentum behind them.

   PGP, for example, has a usable and highly popular implementation out
there. In addition, it has a usable (though certainly not perfect) key
distribution infrastructure, including both e-mail and Web based
keyservers. Further, it has a standardized (if flawed) cryptographic
checksum of keys, which aids in manual key management.

   S/MIME has the backing of many of the large players in both the
encryption and e-mail fields. There are currently five implementations
advanced enough for interoperability testing. There is an emerging
standard for cryptographic hashes of certificates, again facilitating
the manual bootstrapping of trust roots. I haven't been following the
key distribution aspect closely, but there is a Distributed Certificate
System architecture, supported by OpenSoft and probably others.

   This point is more controversial, but I believe that MOSS suffers
from its "algorithm independent" design philosophy. S/MIME and PGP are
both interoperable (i.e. any two implementations are guaranteed to
interoperate), and both recommend the implementation of adequate
symmetric encryption algorithms (PGP goes further and requires it). MOSS
is neither. I believe that algorithm-dependent aspects of any protocol
make a difference in the real world and must be addressed.

   The "sadly" part of my statement reflects the fact that the MOSS spec
itself is very good. However, when taken in broader context, it's just
not fully there, nor do I sense a will on the part of the MOSS designers
to be responsive to user needs and bring it up to the level of a truly
viable contender.

   I hope this answered your question.

Raph

<Prev in Thread]	Current Thread	[Next in Thread>
FYI: comments on adoption of PGP/MIME standard, Jeff Cook Re: FYI: comments on adoption of PGP/MIME standard, Raph Levien <= Re: FYI: comments on adoption of PGP/MIME standard, Steve Crocker Re: FYI: comments on adoption of PGP/MIME standard, Dave Crocker Re: FYI: comments on adoption of PGP/MIME standard, Ned Freed Re: FYI: comments on adoption of PGP/MIME standard, Steve Crocker Re: FYI: comments on adoption of PGP/MIME standard, Dave Crocker Re: FYI: comments on adoption of PGP/MIME standard, Steve Crocker Re: FYI: comments on adoption of PGP/MIME standard, Dave Crocker Re: FYI: comments on adoption of PGP/MIME standard, Peter Williams Re: FYI: comments on adoption of PGP/MIME standard, hallam Re: FYI: comments on adoption of PGP/MIME standard, Peter Williams

Previous by Date:	Re: FW: MIME Security with PGP, Raph Levien
Next by Date:	Re: FYI: comments on adoption of PGP/MIME standard, Steve Crocker
Previous by Thread:	FYI: comments on adoption of PGP/MIME standard, Jeff Cook
Next by Thread:	Re: FYI: comments on adoption of PGP/MIME standard, Steve Crocker
Indexes:	[Date] [Thread] [Top] [All Lists]