Re: MIME Multipart security?

At 11:03 AM 11/8/02 -0800, Chris Newman wrote:
>While it would be entertaining to try a 4th attempt at application-level 
>object security (preferably this time with more input from application 
>experts and less from security purists), I think the odds of succeeding 
>have decreased significantly since the last 3 attempts.  If you really 
>wanted to pursue this direction, here's what I think it would take to succeed:
>1) Really good open-source implementations with free-for-commercial use 
>license, at least one in C and one in Java.
>2) Transition strategy from existing PKI systems that works and is 
>included in 1.
>3) A really good spec, that includes good discussion about user interface 
>requirements and how to deploy the system into an untrained average user 
>community (likely involving automatic fetching of generated private keys 
>over the Internet using TLS and a username/password pair).
>4) A major vendor or consortium backing the effort with enough clout to 
>get the attention of the trade rags.

I'm trying to remember what your 3 object security mechanisms so far are 
(S/MIME, PGP, and ... PEM?, MOSS? ...)

Anyway, at risk of duplication, there is another object security framework 
on the blocks.  I am thinking of the combination of XMLDSIG [1], XMLENC [2] 
and XKMS [3].


[1] Eastlake, D., Reagle , J. and D. Solo, "XML-Signature Syntax and 
Processing", W3C Recommendation xmldsig-core, October 

[2] Eastlake, D. and J. Reagle , "XML Encryption Syntax and Processing", 
W3C Candidate Recommendation xmlenc-core, August 

[3] Ford, W., Hallam-Baker, P., Fox, B., Dillaway, B., LaMacchia, B., 
Epstein, J. and J. Lapp, "XML Key Management Specification (XKMS)", W3C 
Note xkms, March 2001.

Graham Klyne

Received on Saturday, 9 November 2002 06:36:04 UTC