[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-impp-im - Common Profile for Instant Messaging (CPIM)

To: Harald Tveit Alvestrand <harald@alvestrand.no>
Subject: Re: Evaluation: draft-ietf-impp-im - Common Profile for Instant Messaging (CPIM)
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Thu, 07 Aug 2003 11:08:23 -0400
Cc: iesg@ietf.org

In message <5097740.1060214140@localhost>, Harald Tveit Alvestrand writes:
>
>
>--On 7. august 2003 00:29 -0400 "Steven M. Bellovin" <smb@research.att.com> 
>wrote:
>
>> The problem I have is that draft-ietf-impp-cpim-msgfmt lays out a
>> detailed set of requirements and explains how to use MIME.  If S/MIME
>> is the right answer, much of the rationale can be omitted, except
>> perhaps a short statement that the environmental model is very much
>> like the one that email has.  This is the message format RFC; it should
>> really point to the authoritative source for the desired encoding and
>> encapsulation.  The rationale, if needed at all, should have been in
>> draft-ietf-impp-im, which is setting out the framework.
>>
>> Beyond that, it isn't clear to me that they've said enough about how to
>> use CMS and S/MIME.  There are lots of possible options and variations;
>> I don't know that all are useful or correct here.  That's where I want
>> to defer to Russ.
>
>I'd like -msgfmt- to keep its mouth shut about whether to use S/MIME; it's 
>not really its business, since that ties into the whole trust model issue.
>As written, it's agnostic between S/MIME and PGP/MIME; it just advises that 
>security multiparts be used (which is a good thing for interoperability of 
>signed messages; even applications that don't understand the signature 
>format can at least extract the cleartext).
>
>It was a bit of a surprise to me that -im and -pres came out so strongly in 
>favour of S/MIME; I'll accept the WG's judgment here.

I don't think msgfmt can be silent -- it has to prescribe at least one 
mandatory-to-implement security mechanism, or there will be no 
interoperability.  I have no objection to them mandating any particular 
choice or group of choices, but they have to pick something.  (They 
could also mandate S/MIME with web-of-trust anchors, but that's the 
sort of heresy that tends to upset PKIX people. OK, Russ, I'll shut up 
now....)

		--Steve Bellovin, http://www.research.att.com/~smb

Prev by Date: Question: <draft-ietf-dhc-unused-optioncodes-05.txt>
Next by Date: Comment: <draft-ietf-kink-kink-05.txt>
Previous by thread: RE: Evaluation: draft-ietf-impp-im - Common Profile for Instant Messaging (CPIM)
Next by thread: RE: Evaluation: draft-ietf-impp-im - Common Profile for Instant Messaging (CPIM)
Index(es):
- Date
- Thread