Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

November 03, 1997, Section: News & Analysis

A Secure E-Mail Standard

By John Fontana

After years of fierce debate, the de facto spec for encrypting and authenticating E-mail may finally become a legitimate Internet standard.

The Internet Engineering Task Force this week will consider a charter to form a working group charged with ratifying the Secure Multipurpose Internet Mail Extensions protocol (S/MIME)

That move would make it more likely S/MIME will become a formal standard, a process that could take up to nine months. S/MIME has already been endorsed by nearly every major supplier of corporate E-mail software.

The only thing that may stand in the way now are statements that RSA Data Security Inc., the inventor of S/MIME, made during a media event it held in San Francisco last Friday. The company claimed it had direct involvement in getting S/MIME into the IETF. Those statements threaten to derail what appeared to be a clear path toward getting the standards process started.

IT managers, analysts and top messaging vendors believe the standardization of S/MIME is important because it could open the floodgates for applications that require secure messaging, including Internet-based EDI systems, electronic commerce applications and push technology.

An ad hoc committee this week is scheduled to submit the first draft proposals for S/MIMEv3, the next iteration of the protocol. The new draft version calls for strong cryptography and new digital signature technology, which address concerns that S/MIMEv2 included technology trademarked and licensed by RSA.

S/MIME's return to favor within the IETF would be a dramatic shift. Just two months ago, S/MIME was all but kicked off of the IETF's standards track because of licensing and trademark issues with RSA (www.rsa.com/smime), which originally wanted to maintain its right to control the standard.

However, in a letter sent Sept. 25 to the Internet Society, RSA gave up control of S/MIME. "They turned the whole thing over to the Internet community, even adding a few extras," said Internet Society president Don Heath.

Although it had appeared earlier last week that RSA had already ceded its rights to S/MIME, the company's latest statements put into question its commitment to relinquish control, as previously promised.

Jeff Schiller, security area director at the IETF, and Paul Hoffman, co-director of the Internet Mail Consortium and coauthor of the S/MIME specification, said RSA's characterization of its involvement of the process was inaccurate and may endanger the formation of the group.

"This is an attempt by RSA to mislead people that the IETF is endorsing [it's patented] S/MIME technology," Schiller said.

RSA could not be reached for comment at press time.

The IETF, along with the Internet Architecture Board, will consider the charter this week.

IT managers would like to see S/MIME become an industry standard, not a de facto one.

"S/MIME and X.509 certificates are high on our list of standards because they're flexible enough for large corporations to use them the way they need to use them," said Durwin Sharp, electronic-commerce advisor at Exxon Corp. But there are still other issues to resolve.

"S/MIMEv3 has small changes that will be hotly debated, but the changes will meet the IETF's requirements for becoming a standard," added Hoffman.

RSA's current S/MIMEv2 does not require strong cryptography, although it suggests it. In S/MIMEv3, Diffie-Hellman will become the default cryptographic algorithm, although many other algorithms will be supported.

Another key addition is the switch to the National Security Administration's Digital Signature Standard (DSS), which will replace the RSA proprietary technology for digital signatures found in version 2. The patent on the RSA technology was a major sticking point for the IETF.

Although being an IETF standard would sharpen the focus on S/MIME, it's not the only game in town. The industry, however, has taken a stance on S/MIME, which offers something Open PGP does not support for X.509 certificates. All the major messaging vendors, including IBM's Lotus, Microsoft, Netscape Communications and Novell, are supporting the S/MIME protocol or have announced support.