PGP/MIME vs. S/MIME vs. MOSS

[Dave Darnell <dave_d@xxxxxxxxxxxxx>]

I have heard/read conflicting information on S/MIME and MOSS.

I know that PGP/MIME, after reading the INternet Draft, allows one to
encrypt and send the file/message and the digital signature together.  This
is obviously a more secure method than leaving the signature open to be read
by any snooper or sniffer out there.  I.E. you have to decrypt before
analyzing the digital signaure/message digest.

My questions are:

1. Does S/MIME leave the signature open?  I.E. is there any provision in
S/MIME to include the signature in the encryption?

2. Does MOSS allow for including the signature in the encryption in order to
protect it?

I quickly read through our "IETF EDIINT Working Draft" document and the
comparison matrix, but could not find anything other than a statement in the
matrix that MOSS messages could be identified as signed or unsigned.

Also, I would appreciate some more dialogue on Robert's cryptanalysis
concern with S/MIME:

>But the biggest concern I have of the strength of S/MIME is the presence of
>any known text.  All of those imbedded MIME headers.  This is exactly the
>attack that got Microsoft's WFW .pwl files!  (If you know that starting in
>position 10 you will find the string 'application', the crypto analysis is
>very easy).
>

BTW - I agree very much with Robert's other concern with S/MIME:

>The other problem with S/MIME is that it will tend to restrict product to
>those that can afford to pay RSA.
>

Appreciate any comments!

Regards,
dave_d
======================================
|   David Darnell              
|   SysTrends, Inc.             
|   Arizona EC/EDI Roundtable   
|   1850 East Carver Road       
|   Tempe, AZ 85284             
|   Tel (602)838-5316           
|   Fax (602)897-8032           
|   mailto://dave_d@systrends.com        
======================================