IETF Logo Mail Archive

Re: Issues with S/MIME Message Specification

Russ Housley <housley@spyrus.com> Wed, 02 June 1999 01:07 UTC

Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA08265 for <smime-archive@odin.ietf.org>; Tue, 1 Jun 1999 21:07:57 -0400 (EDT)
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id RAA28011 for ietf-smime-bks; Tue, 1 Jun 1999 17:12:08 -0700 (PDT)
Received: from spyrus.com (mail.spyrus.com [207.212.34.30]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA28007 for <ietf-smime@imc.org>; Tue, 1 Jun 1999 17:12:07 -0700 (PDT)
Received: from rhousley_laptop.spyrus.com (swf-caw1.spyrus.com [207.212.34.211]) by spyrus.com (8.7.6/8.7.3/arc) with SMTP id RAA02442; Tue, 1 Jun 1999 17:10:24 -0700 (PDT)
Message-Id: <4.1.19990601200917.00a23cd0@mail.spyrus.com>
X-Sender: rhousley@mail.spyrus.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Tue, 01 Jun 1999 20:11:05 -0400
To: Bob Jueneman <BJUENEMAN@novell.com>
From: Russ Housley <housley@spyrus.com>
Subject: Re: Issues with S/MIME Message Specification
Cc: ietf-smime@imc.org, jis@mit.edu, MLeech@nortel.ca
In-Reply-To: <s75404c9.084@prv-mail25.provo.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Bob:

I would like to see the specifications published as RFCs, then get some
implementation experience.  I believe that the most valuable spec changes
will result from implementaion experiences.  So, I would expec to wait a
few months before we query the working group for issues and proposed solutions.

Russ


At 04:05 PM 6/1/99 -0600, Bob Jueneman wrote:
>Russ, and others,
>
>I regret the timing of my remarks, which was unfortunate.  Although
>I had been following along the S/MIME discussions, it was not
>an area I was responsible for until very recently. I hope to be able to
>
>make more of a contribution in the future. Unfortunately, the fact that
>
>my comments came just after, rather than before the Last Call, was 
>viewed with distaste  by some, and perhaps understandably so.
>
>My concern for the apparently duplication of algorithm specifications
>was to prevent exactly the kind of unfortunate disagreement in
>specifications as occurred with the may/should for RSA signature,
>but I overlooked the fact that CMS is intended to have a broader scope
>than just the S/MIME specification, and that the S/MIME spec was
>picking and choosing a profile of algorithms from a larger set.
>
>Although I feel as strongly as most of the members of the IETF 
>regarding the need for strong cryptography, I do disagree with 
>the policy of mandating strong algorithms as a MUST, as I would 
>prefer to deal with such issues on the political, rather than as
>an issue for the standards community to deal with. I will address that
>
>issue with the IESG, as you requested, rather than burden the list.
>
>However, since S/MIME provides a way for one user to inform
>other correspondents of their preferred algorithms, the only practical
>implication (other than the not so trivial issue of specsmanship and 
>conformance) is the question of what is to be done as a default, 
>in the absence of prior knowledge.  But according to 2.7.1.3 (Rule 3,
>Unknown Capabilities, Unknown Version of S/MIME), the rule is
>that the sending agent SHOULD use triple-DES -- not MUST.
>I can live with that -- that gives the implementor leeway to
>have the user specify a default option, request notification, etc.
>
>On a different subject, can I ask you what the plan is for 
>entertaining further comments and/or proposed revisions to 
>either the S/MIME or CMS specification, prior to their 
>consideration as Draft Standard?  Will suggestion for revisions 
>be in order at some point in time, or is that decision expected 
>to be a straight up/down vote?
>
>Regards,
>
>Bob
>
>
>
>Robert R. Jueneman
>Security Architect
>Network Security Development
>Novell, Inc.
>122 East 1700 South
>Provo, UT 84606
>bjueneman@novell.com
>1-801-861-7387
>
>>>> Russ Housley <housley@spyrus.com> 05/24/99 08:45AM >>>
>Bob:
>
>In CMS Section 12.3.2, RSA Key Management is a "should" implement
>algorithm.  As a result of an editorial error, in CMS Section 12.2,
>RSA
>Signature is a "may" implement algorithm.  I thought that they had the
>same
>"should" status.  This would be consistent with the MSG document.
>
>We went through great pains to include support many, many algorithms
>in
>CMS.  The  "must" implement algorithms to provide a set of
>interoperable
>strong algorithms.  The "should" implement algorithms provide backward
>compatibility with S/MIMEv2.  Any other algorithm is considered a
>"may"
>implement algorithm. RSA with OAEP falls into this "may" implement
>category.
>
>The IETF consistently includes strong algorithms in standards.  If you
>wish
>to discuss this policy, please discuss it in a broader context (not
>just
>S/MIME) with the IETF Security Area Directors (Jeff Schiller and
>Marcus
>Leech).  I have CCed them on this e-mail message, so you have their
>addresses.  I do not consider this an approprate topic for the S/MIME
>mail
>list.
>
>I wish you had raised this inconsistency during CMS and MSG Last Call. 
>The
>IESG has approved these documents.  I hope you will raise this topic
>again
>when the documents are considered for Draft Standard status.
>
>Russ
>  S/MIME WG Chair  &
>  CMS Document Editor
>

v2.39.1 | Report a Bug | By Email | System Status