After reading the RFCs for PEM (1421-1424), I am curious what other people think about PEM. For cypherpunks agenda, in what ways is PEM lacking? My take is: 1. PEM is a protocol, only applicable to mail (perhaps only to internet mail) while PGP is program that provides similar services for mail, but is also applicable to non-mail related encryption tasks. 2. PEM and PGP don't aggree on the symmetric algorithms (DES, IDEA). 3. PEM certificates are bulky, and transmission is encouraged. 4. PEM certificates are issued by Certificate Authorities, which would seem to preclude PGP's 'web of trust' model. These all seem to have answers: 1. PEM is protocal, PGP is a program that implements much of what PEM is... why not make PGP PEM compliant. 2. Propose IDEA as a symmetric algorithm for PEM. 3. Ha! PGP already has key servers. 4. Propose a revion to the certification scheme where USER certificates would be created by the owner and signed by non-certificate-authority acquaintances ala PGP. Yes, this would take time and effort. No, this should not be taken as an affront to our current and previous efforts. I think that we should persue _every_ avenue. If the only real problem with PEM is the trust model, and we can change that, then this would be a strongly legitimizing action. Scott Collins | "Few people realize what tremendous power there | is in one of these things." -- Willy Wonka ......................|................................................ BUSINESS. voice:408.862.0540 fax:974.6094 collins@newton.apple.com Apple Computer, Inc. 1 Infinite Loop, MS 301-2C Cupertino, CA 95014 ....................................................................... PERSONAL. voice/fax:408.257.1746 1024:669687 catalyst@netcom.com