[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Evaluation: draft-ietf-impp-im - Common Profile for Instant Messaging (CPIM)
In message <p06001a02bb57769c1417@[64.134.94.162]>, hardie@qualcomm.com writes:
>At 10:38 PM -0400 8/6/03, Steven M. Bellovin wrote:
>>In message <200307241803.OAA18923@ietf.org>, IESG Secretary writes:
>>>
>>>Last Call to expire on: 2003-06-27
>>>
>>> Please return the full line with your position.
>>>
>>> Yes No-Objection Discuss Abstain
>>>Steve Bellovin [ ] [ ] [ ] [ ]
>>
>>draft-ietf-impp-cpim-msgfmt
>> Why isn't it using S/MIME or CMS used? The problem statement
>> sounds about the same.
>>
>> (I'd really like Russ to see these documents; he's the S/MIME
>> expert.)
>
>In section 4 of draft-ietf-impp-im, this covers the use of s/mime and
>cms:
>
> When end-to-end security is required, the message operation MUST use
> MSGFMT, and MUST secure the MSGFMT MIME body with S/MIME [8], with
> encryption (CMS EnvelopeData) and/or S/MIME signatures (CMS
> SignedData).
>
>Is this needed in draft-ietf-impp-cpim-msgfmt as well, or is there something
>else needed entirely?
The problem I have is that draft-ietf-impp-cpim-msgfmt lays out a
detailed set of requirements and explains how to use MIME. If S/MIME
is the right answer, much of the rationale can be omitted, except
perhaps a short statement that the environmental model is very much
like the one that email has. This is the message format RFC; it should
really point to the authoritative source for the desired encoding and
encapsulation. The rationale, if needed at all, should have been in
draft-ietf-impp-im, which is setting out the framework.
Beyond that, it isn't clear to me that they've said enough about how to
use CMS and S/MIME. There are lots of possible options and variations;
I don't know that all are useful or correct here. That's where I want
to defer to Russ.
--Steve Bellovin, http://www.research.att.com/~smb