Re: Mandatory MIME security

At 08:39 AM 11/7/2002 -0800, Dave Crocker wrote:
>The IESG is now operating with the policy that application protocols must
>mandate implementation of (at least one) strong security mechanism.  In the
>case of store-and-forward, MIME-base applications this means choosing
>between S/MIME and OpenPGP.  One of them must be mandated for
>implementation. (More are, of course, allowed)
>These standards have been around for a long time and yet the market has not
>yet adopted one.  Hence mandating either of them goes against considerable
>real-world market experience -- no matter how much any of us might wish for
>a single market choice.
>I am hoping there will be some public discussion of this policy and have
>   <>
>to prime the discussion pump.  This list seems like the best venue, since
>MIME and the issue of general MIME-based security do not have any other list

I'd certainly like to second Dave's thoughts here but for a different 
reason. Mandating MIME Security IMHO is potentially harmful since the IETF 
has been unable or unwilling to tackle the underlying problem of 
application specific opportunistic key discovery service which could make 
S/MIME or PGP easier to use.

This was the general thrust of the siked BOF in Minneapolis, that as many 
of us remember, did not go well.

Now the Security AD's have permitted a BOF in Atlanta on the narrowly 
scoped problem of IPSEC keys [ ipsedkey ] on Tuesday afternoon.

This is fine .. we all believe that narrowly scoped problem statements lead 
to WG success, tackle the small problems first before the bigger ones. I 
would again suggest the that general problem has not gone away and must 
eventually be addressed.

I submit the two issues are linked.

A number of us have submitted personal ID' touching on the subject.

Title           : Using DNS to securely publish SSH key fingerprints

A URL for this Internet-Draft is:

Title           : Domain-based Application Service Location Using SRV
                           RRs and the Dynamic Delegation Discovery Service

A URL for this Internet-Draft is:

Title           : Use of the DDDS System for Cryptographic Key Discovery
                           and Retrieval

A URL for this Internet-Draft is:

Richard Shockey, Senior Manager, Strategic Technology Initiatives
NeuStar Inc.
46000 Center Oak Plaza  -   Sterling, VA  20166
Voice +1 571.434.5651 Cell : +1 314.503.0640,  Fax: +1 815.333.1237
<> or <>
  <> ; <>

Received on Thursday, 7 November 2002 22:08:43 UTC