Decision: Encryption Method/Product

[Mats Jansson <mjansson@xxxxxxxxxxx>]

>
>I believe we have two choices for our final recommendation on the security
>product/standard:
>      1) recommend one product/standard as the primary (not only)-- the one
>we help CommerceNet
>          interoperability test, or
>
>      2) decide that we can not make a choice and state it and make sure
>the translators each have a new
>          trading partner field added for  "encryption methods used" such
>as: MOSS, S/MIME, X.12.58,
>         PGP/MIME, none, or other.
>
>      3) ((Others?))
>
>QUESTION: From a developer's or implementor's point-of-view, does either
>choice make it significantly easier to get interoperability between EDI
>products NOW?
>
There's no doubt in my mind that choosing one would accelerate the inter-
operability in the near term.  The question we have to ask is are we limiting
ourselves to future needs by doing this?  Maybe a middle road would be to
clearly and definitely recommend ONE, and recognize some of the other key
contenders as possibilities, with other possible contenders in the future.
Hopefully, the matrix will help make the right choice.

This would allow product vendors to regionalize products if necessary, and 
to take country specific laws into consideration.

Then the question about Diffie-Hellman vs. RSA.  Everything I've read/heard
tells me that D-H is very comparable with RSA from a security standpoint.
If we thought that there would be a myriad of product vendors for EDI UTA's
it might be in our best interest to make it affordable sooner, to include
digital envelope/signature stuff (ie Diffie-Hellman), but I think the reality
is that there will be a few large vendors, and if they want to dish out the
extra for RSA, it's their decision.  (of course, we end up paying for it...)

I'm sure there are other arguments on this, so bring it on...

***************************
Mats Jansson
LiNK
415-780-9039
mjansson@agathon.com