Re: The case against redundancy and isolation

[Jeremey Barrett <jeremey@xxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----

Thomas Roessler writes:
 > On November 19 1997, Jeremey Barrett wrote:
 > 
 > With MIME, it is immediately obvious to the recipient that
 > the message was signed or encrypted, whether or not they
 > may have a PGP-capable mail reader.  It is also trivial to
 > use this non-PGP-aware software to handle PGP/MIME signed
 > messages correctly when replying.  

It is equally obvious to the non-MIME mail reader that this ASCII
armored mail message was signed. However, it is not obvious that
a PGP/MIME signed message has anything but gibberish in it. Ever 
used 'mail' to read a MIME message? :-)

I'm not saying MIME is bad, I'm saying that eliminating ASCII armor
is a step in the wrong direction.

 > 
 > > I want to be able to send secure email to people who don't
 > > use MIME, that is a very useful feature of PGP in the
 > > context of email, and I don't see any reason at all to not
 > > include ASCII armoring in the draft.
 > 
 > I want to be able to send PGP-signed email to mailing
 > lists where not everybody has PGP at hand.  Nevertheless,
 > everybody should be able to properly handle my messages
 > (which might quite well include diff(1) output and similar
 > things).  Separating the cryptographic signature from the
 > message's content proper is one of the most useful
 > features of multipart/signed messages.

In some cases, it is useful. In other cases, it's the wrong policy.
As Jon pointed out, PGP is not email software, there are a host
of other applications for PGP, which might well benefit (and do)
from ASCII armor.

 > 
 > > Yes, PGP is about security, and requiring PGP users to use
 > > MIME mail readers does not result in an increase in
 > > security. Quite the opposite.
 >             ^^^^^^^^^^^^^^^^^^^
 > 
 > How do you come to this conclusion?  I'm actually quite
 > glad to use a MIME and PGP capable Mail User Agent.  And
 > yes, I'm using it from my Unix shell.  And yes, it's
 > freely available.

My point is that _requiring_ MIME eliminates a set of users. That's
all. Eliminating users decreases the security of the system, because
less people have the necessary tools. If security is the goal (and
as I read the wg charter, "The whole purpose of Open-PGP is to provide
security services") then the elimination of ASCII armor is 
contradictory to the goals of the wg, IMO. It should be a MUST.

 > 
 > > IMO ASCII-armored PGP is not a competing standard on encoding
 > > techniques, rather it is an integral part of PGP and security.
 > 
 > I beg your pardon - PGP just works fine with binaryly
 > transmitted packet files.

Yes, but ASCII armor has quite alot of use, both in email and other
applications. It's crazy to require MIME _and_ eliminate ASCII armor.

Regards,
Jeremey.
- -- 
Jeremey Barrett                                BlueMoney Software Corp.
Crypto, Ecash, Commerce Systems               http://www.bluemoney.com/
PGP key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNHXQ9S/fy+vkqMxNAQGsDwP+J4Lews16nwWdyqFNloPpaUCcQ6v9SyO3
M9eS3uEJOfITn9AEDOaP73iKda4WapKNJzHqObXCjPmVBvGrOBx0ORW7GFVvI9u/
Yd4v26kli0ZkfxyE0sK3fYwoHxKnLGcS1eEnC0j8SteQsw6yDWIJcVDraoFPq8I6
YsM5bL5uZh0=
=QZFb
-----END PGP SIGNATURE-----