Corporate.Net
Secure Electroni
c-Mail: Return To Sender?
What's S/MIME Is MIME
S/MIME was developed to address message confidentiality, integrity, user authentication and sender nonrepudiation. It assumes an X.509 certificate infrastructure for the distribution of public keys, with a hierarchy of well-trusted Certificate Authorities (for more on Certificate Authorities, see "Certificate Authorities: How Valuable Are They?" www.NetworkComputing.com/ 806/806f1.html).
S/MIME uses the marriage of the MIME and RSA PKCS #7 data types, using RSA PKCS #10 for Certification Requests. Data is always a MIME entity (a body part, attachment or the whole message with all of its sub-parts), which is handed to the PKCS processes, thereby producing a PKCS object. This object is then wrapped up as a MIME message and sent.
S/MIME products use RSA public key methods for key exchanges and digital signatures. Bulk message encryption is conducted using private key methods--either DES, Triple-DES or RSA RC2. In addition, some v
endors may use proprietary methods (Entrust's CAST, for example) at the expense of interoperability.
Because of some ambiguity in the S/MIME specification, significant differences between some S/MIME implementations exist. For example, S/MIME does not require the use of Certificate Revocation Lists, nor does it adequately address how IMAP messages are to be handled. Some IMAP features--like separately downloadable headers--may not function properly with S/MIME content, as the individual components of the message may not be signed or encrypted. Systems must also support the multipart or signed format if you want non-S/MIME clients to view messages that are signed but not encrypted. However, this may cause message loss when crossing non-MIME environments.
S/MIME alone does not serve as a complete business-to-business commerce solution. It supports sour
ce nonrepudiation (the sender can't deny he or she sent a message), but it does not support nonrepudiation of receipt or delivery (the receiver can deny
message receipt). Issues such as these have an affect on the use of S/MIME for electronic commerce and are being addressed by the EDIINT working group of the IETF (see "Safe and Secure Electronic Commerce," www.NetworkComputing.com/719/ 719cn4.html, and "Signed, Sealed & Delivered: CommerceNet Test Results," September 15, page 88).
The major vendors of proprietary messaging products--Microsoft, Novell and Lotus--have pledged support for S/MIME. These same vendors are also incorporating X.509 certificate services into their messaging products, Web servers and operating systems. Currently, S/MIME products are available from a range of vendors, including Netscape, ConnectSoft, Entrust Technologies, Innosoft International, OpenSoft and Worldtalk. With this much market momentum, S/MIME will provide the best road to multivendor messaging security.
David Willis can be reached at dwillis@nwc.com.
For the Side Bar on
Securing Electronic-Mail Across Borders
Internet Rx
By Anthony Frey and Chris Lewis
IMAP Servers: Delivering a Brave, New Mailbox
By Greg Yerxa
Updated October 24, 1997
|
REPORTS
ANALYTICS
Follow 
