Mandatory MIME Security Considered Harmful

Document Type Expired Internet-Draft (individual)
Author Dave Crocker 
Last updated 2002-11-04
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


MIME is the preferred Internet mechanism for labeling and aggregating bulk data objects, such as for email and the web, and it is essential to have useful, MIME-based mechanisms. Indeed, two standards have existed for some years: OpenPGP and S/MIME. A current IESG policy for new application protocols requires that they mandate conforming implementations to support a single security mechanism. For applications using MIME security, this means that the specification is required to choose between S/MIME and OpenPGP. Although well-intentioned, the policy is at least useless and at worst counter-productive. This note discusses the problem and suggests returning to the previously acceptable policy that better reflects the lack of market resolve for MIME security.


Dave Crocker (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)