- From: Keith Moore <moore@cs.utk.edu>
- Date: Thu, 07 Nov 2002 12:34:20 -0500
- To: Dave Crocker <dcrocker@brandenburg.com>
- cc: discuss@apps.ietf.org
> The IESG is now operating with the policy that application protocols must > mandate implementation of (at least one) strong security mechanism. In the > case of store-and-forward, MIME-base applications this means choosing > between S/MIME and OpenPGP. One of them must be mandated for > implementation. (More are, of course, allowed) > > These standards have been around for a long time and yet the market has not > yet adopted one. Hence mandating either of them goes against considerable > real-world market experience -- no matter how much any of us might wish for > a single market choice. It seems quite reasonable to me that different MIME-based apps would make different choices here, depending on the assumptions about relationships between the communicating parties and which trust model works best with each. Then again, if we could standardize a way of generating an X.509 cert from a PGP key pair, then perhaps it wouldn't be such a big issue after all. I suspect the divisiveness is more over the trust model and the investment in different kinds of keying systems than in the actual data formats and software. Also, the choice between S/MIME or OpenPGP data formats may not necessarily be sufficient to ensure interoperability - for some applications it might still be necessary to state some expectations about trust relationships. Keith
Received on Thursday, 7 November 2002 12:35:09 UTC