RE: Mandatory MIME security from Dan Kohn on 2002-11-08 (ietf-discuss@w3.org from November 2002)

From: Dan Kohn <dan@dankohn.com>
Date: Thu, 7 Nov 2002 16:10:00 -0800
To: "Dave Crocker" <dcrocker@brandenburg.com>, "Paul Hoffman / IMC" <phoffman@imc.org>
Cc: <discuss@apps.ietf.org>
Message-ID: <A23DE7A325D23B49A76B54080E0BCB9E292534@kabul.skymv.com>
Dave, I think your draft is valuable at bringing out the issues of
concern.  We should (hopefully) all be able to agree on the following
facts:

1) Both standards can support any trust model and either seems to
adequately provide MIME security.
2) Neither PGP nor S/MIME has had any serious market acceptance to date.
3) The market has not chosen one over another.

However, the implications of these facts are very much open to debate.
Personally, I draw the exactly opposite conclusion than you.  I think
the IESG policy is correct, in that it implements a critical concept
from RFC 1958, Architectural Principles of the Internet, Section 3.2:

  "If there are several ways of doing the same thing, choose one."

In my mind, the analogy to the standards world is the relative failure
of US 2G cellular standards (TDMA vs. CDMA) vs. a single European
standard (GSM) that was adopted around the world.  The market (in the
US) was never able to pick one standard.  In Europe, an (arguably)
inferior technology -- GSM -- was mandated, but the lack of options
caused widespread adoption (and also resulted in all the inferior
aspects being fixed).

That is, although there is a history of standards bodies pushing a
technology that was not adopted (e.g., OSI), there is also a history
where selection of one standard caused ubiquitous penetration.  Another
analogy is that neither VHS nor Betamax took off until one of them died
off (in that case due to market acceptance, not standards bodies), where
DVD penetration has grown far faster because there was only one format.

BTW, the other relevant examples that come to mind are more ambiguous.
SIPP was selected for IPv6 over TUBA, but penetration is obviously still
very weak.  Also, IKE was chosen over SKIP, and penetration is still
only so-so, though much better than if there were two incompatible
standards.

          - dan
--
Dan Kohn <mailto:dan@dankohn.com>
<http://www.dankohn.com/>  <tel:+1-650-327-2600>  


-----Original Message-----
From: Dave Crocker [mailto:dcrocker@brandenburg.com] 
Sent: Thursday, November 07, 2002 11:32
To: Paul Hoffman / IMC
Cc: Dave Crocker; discuss@apps.ietf.org
Subject: Re: Mandatory MIME security


Paul,


Thursday, November 7, 2002, 11:19:49 AM, you wrote:
Paul> Whoops, sorry. I took the meaning of your draft to say that you
Paul> wanted the IETF to do something.

The "A MODEST PROPOSAL" section suggests four things to do.


Paul> OK. But we disagree about what the market is. The market of
protocol
Paul> developers have leaned strongly towards PKIX and away from OpenPGP

Paul> authentication.

Silly me. I keep thinking that markets are defined by customers and
users,
not providers. The massive lack of user adoption of either technology is
all
that really matters.

I thought we cared more about what users will use than what makes
developers
happy.  (I said more. That doesn't mean ignore developers, it means that
we
should keep our priorities straight.)


>>Therefore having the IETF try to choose one is both arbitrary and
contrary.

Paul> Here, we disagree. The IETF can choose one based on what the
vendors 
Paul> who will have to implement the standard want.

Please review the history of OSI.  It is exactly this philosophy that
was
operating for the 15 years of that failed effort.

Again, silly me.  I thought paid attention to use of technology, not
just
its implementation.  (There are plenty of other standards groups that do
an
excellent job following the philosophy you have described.  And I
thought
the IETF had a well-established pattern of using different, and more
pragmatic, criteria.)


>>There is no clear basis for making a global choice for one of them.
And
>>there is clear market feedback that neither is preferred by a rough
>>consensus of that market.

Paul> If you mean "email users" as the market, we definitely agree. If
you 
Paul> mean "the protocols that need to have security", we don't agree.

Fine.

Please cite the multi-million user open (no pair-wise coordination)
market
that has adopted and is using one of these.

d/
-- 
 Dave Crocker  <mailto:dcrocker@brandenburg.com>
 TribalWise <http://www.tribalwise.com>
 t +1.408.246.8253; f +1.408.850.1850
Received on Thursday, 7 November 2002 19:12:17 UTC