[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Evaluation: draft-ietf-impp-im - Common Profile for Instant Messaging (CPIM)
In message <5097740.1060214140@localhost>, Harald Tveit Alvestrand writes:
>
>
>--On 7. august 2003 00:29 -0400 "Steven M. Bellovin" <smb@research.att.com>
>wrote:
>
>> The problem I have is that draft-ietf-impp-cpim-msgfmt lays out a
>> detailed set of requirements and explains how to use MIME. If S/MIME
>> is the right answer, much of the rationale can be omitted, except
>> perhaps a short statement that the environmental model is very much
>> like the one that email has. This is the message format RFC; it should
>> really point to the authoritative source for the desired encoding and
>> encapsulation. The rationale, if needed at all, should have been in
>> draft-ietf-impp-im, which is setting out the framework.
>>
>> Beyond that, it isn't clear to me that they've said enough about how to
>> use CMS and S/MIME. There are lots of possible options and variations;
>> I don't know that all are useful or correct here. That's where I want
>> to defer to Russ.
>
>I'd like -msgfmt- to keep its mouth shut about whether to use S/MIME; it's
>not really its business, since that ties into the whole trust model issue.
>As written, it's agnostic between S/MIME and PGP/MIME; it just advises that
>security multiparts be used (which is a good thing for interoperability of
>signed messages; even applications that don't understand the signature
>format can at least extract the cleartext).
>
>It was a bit of a surprise to me that -im and -pres came out so strongly in
>favour of S/MIME; I'll accept the WG's judgment here.
I don't think msgfmt can be silent -- it has to prescribe at least one
mandatory-to-implement security mechanism, or there will be no
interoperability. I have no objection to them mandating any particular
choice or group of choices, but they have to pick something. (They
could also mandate S/MIME with web-of-trust anchors, but that's the
sort of heresy that tends to upset PKIX people. OK, Russ, I'll shut up
now....)
--Steve Bellovin, http://www.research.att.com/~smb