Mandatory MIME security


The IESG is now operating with the policy that application protocols must
mandate implementation of (at least one) strong security mechanism.  In the
case of store-and-forward, MIME-base applications this means choosing
between S/MIME and OpenPGP.  One of them must be mandated for
implementation. (More are, of course, allowed)

These standards have been around for a long time and yet the market has not
yet adopted one.  Hence mandating either of them goes against considerable
real-world market experience -- no matter how much any of us might wish for
a single market choice.

I am hoping there will be some public discussion of this policy and have


to prime the discussion pump.  This list seems like the best venue, since
MIME and the issue of general MIME-based security do not have any other list

 Dave Crocker  <>
 TribalWise <>
 t +1.408.246.8253; f +1.408.850.1850

Received on Thursday, 7 November 2002 11:47:34 UTC