Re: Mandatory MIME security

> The IESG is now operating with the policy that application protocols must
> mandate implementation of (at least one) strong security mechanism.  In the
> case of store-and-forward, MIME-base applications this means choosing
> between S/MIME and OpenPGP.  One of them must be mandated for
> implementation. (More are, of course, allowed)
> These standards have been around for a long time and yet the market has not
> yet adopted one.  Hence mandating either of them goes against considerable
> real-world market experience -- no matter how much any of us might wish for
> a single market choice.

It seems quite reasonable to me that different MIME-based apps would
make different choices here, depending on the assumptions about
relationships between the communicating parties and which trust 
model works best with each.

Then again, if we could standardize a way of generating an X.509 cert
from a PGP key pair, then perhaps it wouldn't be such a big issue
after all.  I suspect the divisiveness is more over the trust model
and the investment in different kinds of keying systems than in
the actual data formats and software. 

Also, the choice between S/MIME or OpenPGP data formats may not
necessarily be sufficient to ensure interoperability - for some
applications it might still be necessary to state some expectations 
about trust relationships.


Received on Thursday, 7 November 2002 12:35:09 UTC