UNINETT Forrige Start Neste

Formal standards: PEM and MOSS

Some history

The PEM standards, a product of the Internet Research Task Force (IRTF) and the PEM working group of the IETF, were published in February 1993, after a long period of discussion.

They were based upon two assumptions:

  1. Trust must be hierarchical, with people being "authorized" in a tree-like structure, with "everyone" trusting someone at the "root" of the tree to do its job properly
  2. The naming scheme developed in X.500 was a practical way of naming real-world people, objects and roles.
The developers recognized that the world might not be as simple as implied by the first assumption, but thought that this was a valid way to get going.

In 1995, the status is that the Internet Policy Registration Authority has signed certificates for somewhere between 5 and 20 "policy certification authorities"; the only one of these that has made its policy public as envisioned by RFC 1422 is UNINETT's pilot certification service.

A new standard was published in March 1995, called MOSS (MIME Object Security Services), which offers the same functionality as PEM, but does not force a single trust model, and allows the identification of users by names that don't have any realtionship to X.500, such as E-mail addresses.

Several interworking implementations exist; it remains to be seen whether this standard gains market acceptance.

The cryptoalgorithms used in PEM and MOSS are MD2 or MD5 for the checksum, DES-CBC for the text encryption, and RSA for the public key encryption.

Harald.T.Alvestrand@uninett.no
Last modified: Mon Jan 8 08:46:55 1996