- From: Dan Kohn <dan@dankohn.com>
- Date: Thu, 7 Nov 2002 16:10:00 -0800
- To: "Dave Crocker" <dcrocker@brandenburg.com>, "Paul Hoffman / IMC" <phoffman@imc.org>
- Cc: <discuss@apps.ietf.org>
Dave, I think your draft is valuable at bringing out the issues of concern. We should (hopefully) all be able to agree on the following facts: 1) Both standards can support any trust model and either seems to adequately provide MIME security. 2) Neither PGP nor S/MIME has had any serious market acceptance to date. 3) The market has not chosen one over another. However, the implications of these facts are very much open to debate. Personally, I draw the exactly opposite conclusion than you. I think the IESG policy is correct, in that it implements a critical concept from RFC 1958, Architectural Principles of the Internet, Section 3.2: "If there are several ways of doing the same thing, choose one." In my mind, the analogy to the standards world is the relative failure of US 2G cellular standards (TDMA vs. CDMA) vs. a single European standard (GSM) that was adopted around the world. The market (in the US) was never able to pick one standard. In Europe, an (arguably) inferior technology -- GSM -- was mandated, but the lack of options caused widespread adoption (and also resulted in all the inferior aspects being fixed). That is, although there is a history of standards bodies pushing a technology that was not adopted (e.g., OSI), there is also a history where selection of one standard caused ubiquitous penetration. Another analogy is that neither VHS nor Betamax took off until one of them died off (in that case due to market acceptance, not standards bodies), where DVD penetration has grown far faster because there was only one format. BTW, the other relevant examples that come to mind are more ambiguous. SIPP was selected for IPv6 over TUBA, but penetration is obviously still very weak. Also, IKE was chosen over SKIP, and penetration is still only so-so, though much better than if there were two incompatible standards. - dan -- Dan Kohn <mailto:dan@dankohn.com> <http://www.dankohn.com/> <tel:+1-650-327-2600> -----Original Message----- From: Dave Crocker [mailto:dcrocker@brandenburg.com] Sent: Thursday, November 07, 2002 11:32 To: Paul Hoffman / IMC Cc: Dave Crocker; discuss@apps.ietf.org Subject: Re: Mandatory MIME security Paul, Thursday, November 7, 2002, 11:19:49 AM, you wrote: Paul> Whoops, sorry. I took the meaning of your draft to say that you Paul> wanted the IETF to do something. The "A MODEST PROPOSAL" section suggests four things to do. Paul> OK. But we disagree about what the market is. The market of protocol Paul> developers have leaned strongly towards PKIX and away from OpenPGP Paul> authentication. Silly me. I keep thinking that markets are defined by customers and users, not providers. The massive lack of user adoption of either technology is all that really matters. I thought we cared more about what users will use than what makes developers happy. (I said more. That doesn't mean ignore developers, it means that we should keep our priorities straight.) >>Therefore having the IETF try to choose one is both arbitrary and contrary. Paul> Here, we disagree. The IETF can choose one based on what the vendors Paul> who will have to implement the standard want. Please review the history of OSI. It is exactly this philosophy that was operating for the 15 years of that failed effort. Again, silly me. I thought paid attention to use of technology, not just its implementation. (There are plenty of other standards groups that do an excellent job following the philosophy you have described. And I thought the IETF had a well-established pattern of using different, and more pragmatic, criteria.) >>There is no clear basis for making a global choice for one of them. And >>there is clear market feedback that neither is preferred by a rough >>consensus of that market. Paul> If you mean "email users" as the market, we definitely agree. If you Paul> mean "the protocols that need to have security", we don't agree. Fine. Please cite the multi-million user open (no pair-wise coordination) market that has adopted and is using one of these. d/ -- Dave Crocker <mailto:dcrocker@brandenburg.com> TribalWise <http://www.tribalwise.com> t +1.408.246.8253; f +1.408.850.1850
Received on Thursday, 7 November 2002 19:12:17 UTC