Re: MIME Security with PGP

Ian Duncan (id@CC.McGill.CA)
Tue, 30 Apr 1996 13:01:24 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Einar Stefferud: "Re: Identity of the sender"

I'll try and answer the question of what alternative to the 
current proposal might result from a WG effort ...

On Thu, 25 Apr 1996, Ned Freed wrote:

> [T]here really doesn't seem to be anything
> for this new group to discuss unless you want to:
> 
> (1) Abandon the approach of using security multiparts for MIME 
>     encapsulation of PGP material.
> 
> (2) Change PGP proper to make it possible to use more of 
>     security multiparts.
> 
> (3) Spend a heck of a lot of time on minutiae.

I think you've missed, just slightly, a reasonable option. There's a
variation on (2) which involves describing a set of semantically
reversible mappings between existing PGP structures and a PGP profile for
security multiparts.  This requires no change to PGP proper. A sloppy but
hopefully useful subtitle is "the MOSS-ultralite profile using existing
PGP tools". It isn't idle speculation on my part about the feasibility of
doing mapping. I spent a a lot of time about a year ago convincing myself
that it was possible. 

It would require an additional bit of smart plumbing somewhere to 
support processing of a PGP-MIME message with existing the existing PGP
applications. If, in the future, the "PGP development team" decided
including PGP-MIME as a native mode of operation all the better. If we got
it done quickly it could be a feature of PGP 3.0. 

Given that, the only real rub is that any user of existing PGP tools who
has no MIME capabilities would have to find and configure the PGP-MIME
filter and mpack or metamail before being able to play. But that's the
limit of it. The existing keys and core cryto application is directly
useable. I don't believe that's too big a cost for getting it right from
the get go. Just as a general principle, we can't move forward with
internet mail without expecting minimal MIME. 

So, given this option, I have to disagree with the conclusion that the
current proposal is the best we can do today. We need a solid foundation
for moving forward. MIME has won the structured e-mail format battle. PGP
is a very popular and highly functional security tool. Put the two
together correctly and I believe we'll finally have a winning combination.
An extra few months at this point isn't going to make a significant
difference, but rushing to get it wrong will successfully tank the
potential

--
    --
    Ian Duncan <id@CC.McGill.CA>
    Constructive Advice 
    221 Patterson Ave., Ottawa
    Canada, K1S 1Y4

Previous message: Einar Stefferud: "Re: Identity of the sender"