RE: Mandatory MIME security

Dave, I think your draft is valuable at bringing out the issues of
concern.  We should (hopefully) all be able to agree on the following

1) Both standards can support any trust model and either seems to
adequately provide MIME security.
2) Neither PGP nor S/MIME has had any serious market acceptance to date.
3) The market has not chosen one over another.

However, the implications of these facts are very much open to debate.
Personally, I draw the exactly opposite conclusion than you.  I think
the IESG policy is correct, in that it implements a critical concept
from RFC 1958, Architectural Principles of the Internet, Section 3.2:

  "If there are several ways of doing the same thing, choose one."

In my mind, the analogy to the standards world is the relative failure
of US 2G cellular standards (TDMA vs. CDMA) vs. a single European
standard (GSM) that was adopted around the world.  The market (in the
US) was never able to pick one standard.  In Europe, an (arguably)
inferior technology -- GSM -- was mandated, but the lack of options
caused widespread adoption (and also resulted in all the inferior
aspects being fixed).

That is, although there is a history of standards bodies pushing a
technology that was not adopted (e.g., OSI), there is also a history
where selection of one standard caused ubiquitous penetration.  Another
analogy is that neither VHS nor Betamax took off until one of them died
off (in that case due to market acceptance, not standards bodies), where
DVD penetration has grown far faster because there was only one format.

BTW, the other relevant examples that come to mind are more ambiguous.
SIPP was selected for IPv6 over TUBA, but penetration is obviously still
very weak.  Also, IKE was chosen over SKIP, and penetration is still
only so-so, though much better than if there were two incompatible

          - dan
Dan Kohn <>
<>  <tel:+1-650-327-2600>  

-----Original Message-----
From: Dave Crocker [] 
Sent: Thursday, November 07, 2002 11:32
To: Paul Hoffman / IMC
Cc: Dave Crocker;
Subject: Re: Mandatory MIME security


Thursday, November 7, 2002, 11:19:49 AM, you wrote:
Paul> Whoops, sorry. I took the meaning of your draft to say that you
Paul> wanted the IETF to do something.

The "A MODEST PROPOSAL" section suggests four things to do.

Paul> OK. But we disagree about what the market is. The market of
Paul> developers have leaned strongly towards PKIX and away from OpenPGP

Paul> authentication.

Silly me. I keep thinking that markets are defined by customers and
not providers. The massive lack of user adoption of either technology is
that really matters.

I thought we cared more about what users will use than what makes
happy.  (I said more. That doesn't mean ignore developers, it means that
should keep our priorities straight.)

>>Therefore having the IETF try to choose one is both arbitrary and

Paul> Here, we disagree. The IETF can choose one based on what the
Paul> who will have to implement the standard want.

Please review the history of OSI.  It is exactly this philosophy that
operating for the 15 years of that failed effort.

Again, silly me.  I thought paid attention to use of technology, not
its implementation.  (There are plenty of other standards groups that do
excellent job following the philosophy you have described.  And I
the IETF had a well-established pattern of using different, and more
pragmatic, criteria.)

>>There is no clear basis for making a global choice for one of them.
>>there is clear market feedback that neither is preferred by a rough
>>consensus of that market.

Paul> If you mean "email users" as the market, we definitely agree. If
Paul> mean "the protocols that need to have security", we don't agree.


Please cite the multi-million user open (no pair-wise coordination)
that has adopted and is using one of these.

 Dave Crocker  <>
 TribalWise <>
 t +1.408.246.8253; f +1.408.850.1850

Received on Thursday, 7 November 2002 19:12:17 UTC