Question 132. What is PEM-MIME, or What is MOSS?

PEM-MIME, also known as MIME Object Security Standard or MOSS, is a proposed Internet Draft [CFG95] that is designed to be a successor to PEM (see Question 130). It proposes adding PEM- based security services to MIME messages in much the same manner as S/MIME (see Question 131). Due to the nature of MIME, it is possible to apply different security services to each part of the body. For example, the MIME body may contain two copies of a message, with one copy digitally signed and the other copy not modified in any way. This will allow a recipient to read the message even if the recipient does not have a MIME-compliant mail reader. If the recipient has a privacy-enhanced MIME compliant mail reader, the recipient will be able to verify the digital signature as well. Another possibility would be to encrypt different blocks of the message body using different keys and algorithms, or to sign some blocks and not others need not b.

The proposed standard has come under criticism because the requirements for PEM-MIME mailers are extremely flexible. This flexibility can result in two different PEM-MIME-compliant mailers where one mailer can produce PEM-MIME messages that the other PEM-MIME mailer is unable to read. This flexibility is in part a reaction to the rigidity in the structure of PEM, which was not very popular among users. S/MIME treads a somewhat middle ground between the rigid standards of PEM and the loosely defined requirements of PEM-MIME.