W3C home > Mailing lists > Public > ietf-discuss@w3.org > November 2002

Re: MIME Multipart security?

From: Richard Shockey <rshockey@ix.netcom.com>
Date: Sun, 10 Nov 2002 18:55:49 -0500
Message-Id: <>
To: Chris Newman <Chris.Newman@Sun.COM>, Dave Crocker <dcrocker@brandenburg.com>
Cc: Paul Hoffman / IMC <phoffman@imc.org>, discuss@apps.ietf.org

>The problem is that the majority market is not willing to compromise much 
>in the way of usability in order to attain security (and rightly so, 
>IMHO). And there are only two security user interfaces that have proven to 
>be widely deployable: username/password entry forms and smart cards that 
>"just work" like house keys or car keys.  I predict that any public-key 
>scheme which fails to present one of those two user interfaces as the 
>default user interface in the majority of products will be a failure in 
>the general market.
>>SASL is popular.  Would that we could have such a security negotiation
>>framework for store-and-forward object security.  Alas, trying to
>>"negotiate" in store and forward is rather difficult, as the
>>email-based use of CONNEG is demonstrating.

OK .. so IMHO the problem is still how do you make opportunistic key 
management usable across domain boundaries.

CONNEG is a possible way to solve the problem but NAPTR records could do 
the trick as well.

>>The other is to revive the simple PKI effort, to get a basic mechanism
>>that supports only a core set of cert functionality -- rather than the
>>cornucopia of policies that have been pursued -- and that scales but
>>is real, real easy to use.

yes please ...

>A major problem is that the customers who pay real money for 
>top-of-the-line object security have already choosen S/MIME and have 
>little interest in any alternative.  That leaves most large companies with 
>no will to expend resources on the larger problem of deployable object 
>While it would be entertaining to try a 4th attempt at application-level 
>object security (preferably this time with more input from application 
>experts and less from security purists), I think the odds of succeeding 
>have decreased significantly since the last 3 attempts.  If you really 
>wanted to pursue this direction, here's what I think it would take to succeed:
>1) Really good open-source implementations with free-for-commercial use 
>license, at least one in C and one in Java.
>2) Transition strategy from existing PKI systems that works and is 
>included in 1.
>3) A really good spec, that includes good discussion about user interface 
>requirements and how to deploy the system into an untrained average user 
>community (likely involving automatic fetching of generated private keys 
>over the Internet using TLS and a username/password pair).
>4) A major vendor or consortium backing the effort with enough clout to 
>get the attention of the trade rags.

NO ... a standard methodology to find the keys..and the willingness of the 
Security AD's to confront the issue head on ..

I posted a earlier message on the key management issue which may have been 
lost in the shuffle the ID I posted directly dealt with these issues.

Title           : Use of the DDDS System for Cryptographic Key Discovery
                           and Retrieval

A URL for this Internet-Draft is:

Its raw but lays out the basics.

The old siked list is still active and I personally interested in a BAR BOF 
on these issues.. if interested ..please post your interest.

Richard Shockey, Senior Manager, Strategic Technology Initiatives
NeuStar Inc.
46000 Center Oak Plaza  -   Sterling, VA  20166
Voice +1 571.434.5651 Cell : +1 314.503.0640,  Fax: +1 815.333.1237
<mailto:richard@shockey.us> or <mailto:richard.shockey@neustar.biz>
  <http://www.neustar.biz> ; <http://www.enum.org>
Received on Sunday, 10 November 2002 18:56:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:08:17 UTC