[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Decision: Encryption Method/Product

To: Mats Jansson <mjansson@xxxxxxxxxxx>, ietf-ediint@xxxxxxx
Subject: Re: Decision: Encryption Method/Product
From: Robert Moskowitz <rgm3@xxxxxxxxxxxx>
Date: Tue, 21 May 1996 06:50:15 -0400
Sender: owner-ietf-ediint@xxxxxxx

At 11:39 PM 5/20/96 -0700, Mats Jansson wrote:

>>I believe we have two choices for our final recommendation on the security
>>product/standard:
>>      1) recommend one product/standard as the primary (not only)-- the one
>>we help CommerceNet
>>          interoperability test, or
>>
>>      2) decide that we can not make a choice and state it and make sure
>>the translators each have a new
>>          trading partner field added for  "encryption methods used" such
>>as: MOSS, S/MIME, X.12.58,
>>         PGP/MIME, none, or other.
>>
>>      3) ((Others?))
>>
>>QUESTION: From a developer's or implementor's point-of-view, does either
>>choice make it significantly easier to get interoperability between EDI
>>products NOW?
>>

I missed the original message.

P.39 header style could deal a lot with this.  Although I am still undecided
where the P.39 headers should be within or outside the secure envelope!  Or
worst yet if some are exposed and others protected :(

We have reviewed these fields here and a few of them are pertant to our
business and make sense to carry as separate multiparts infront of the EDI part.

>There's no doubt in my mind that choosing one would accelerate the inter-
>operability in the near term.  The question we have to ask is are we limiting
>ourselves to future needs by doing this?  Maybe a middle road would be to
>clearly and definitely recommend ONE, and recognize some of the other key
>contenders as possibilities, with other possible contenders in the future.
>Hopefully, the matrix will help make the right choice.

Do you mean one secure method?  Don't even think it.  Either the seucre
method is obvious by what it does to the envelope, or it is tagged.  With
all the other work that Dave is doing in this area, I would think that those
that participated in that effort realize this.

>This would allow product vendors to regionalize products if necessary, and 
>to take country specific laws into consideration.
>
>Then the question about Diffie-Hellman vs. RSA.  Everything I've read/heard
>tells me that D-H is very comparable with RSA from a security standpoint.
>If we thought that there would be a myriad of product vendors for EDI UTA's
>it might be in our best interest to make it affordable sooner, to include
>digital envelope/signature stuff (ie Diffie-Hellman), but I think the reality
>is that there will be a few large vendors, and if they want to dish out the
>extra for RSA, it's their decision.  (of course, we end up paying for it...)

You define a envelope encryption standard that gets peer review.  If it
survives the review and brings value to the community, it will get used.
The value of D-H over RSA in your implied thoughts here is patents.  Note
that D-H is MUCH slower than RSA (per Jeff Schiller).  Elgamal is inbetween
and its patent expires next winter.

Robert Moskowitz
Chrysler Corporation
(810) 758-8212

Prev by Date: Re: Secure ???? over the Internet
Next by Date: Re: Decision: Encryption Method/Product
Previous by thread: Decision: Encryption Method/Product
Next by thread: Re: Decision: Encryption Method/Product
Index(es):
- Date
- Thread