W3C home > Mailing lists > Public > ietf-discuss@w3.org > November 2002

Re: Mandatory MIME security

From: Paul Hoffman / IMC <phoffman@imc.org>
Date: Thu, 7 Nov 2002 10:47:42 -0800
Message-Id: <p05200f22b9f063b88625@[]>
To: discuss@apps.ietf.org

At 12:34 PM -0500 11/7/02, Keith Moore wrote:
>It seems quite reasonable to me that different MIME-based apps would
>make different choices here, depending on the assumptions about
>relationships between the communicating parties and which trust
>model works best with each.

This is a common misconception. OpenPGP authentication can be made to 
work in a hierarchical fashion, and PKIX authentication can be made 
to work in a web of trust. There is nothing inherent in either 
authentication mechanism that forces it in one way or another.

Each format's certificates simply say "Person A says that Public Key 
B belongs to Person C". The way that you decide to trust or not trust 
a particular public key is pretty much unstated in OpenPGP and fairly 
obscurely stated for PKIX.

Given the above, I would be hard-pressed to say to a protocol 
designer "based on the way the formats work, you should use this 
format over that one".

Dave is absolutely right: the IETF should pick one for protocols to 
use in IETF standards.

--Paul Hoffman, Director
--Internet Mail Consortium
Received on Thursday, 7 November 2002 13:48:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:08:17 UTC