Standards for secure E-mail
The nice thing about standards is that there are so many to choose
from. Furthermore, if you do not like any of them, you can just wait
for next year's model. (Tanenbaum, "Computer Networks", second
edition, page 254)
If you want secure E-mail, you must choose a security function. It is
not possible for two different security systems to interwork. Not just
difficult; impossible.
- X.400 security features interoperate only with other implementors of
X.400 security features, which make them more or less useless
in the NORDUNet community.
- The US Defense Dept's Message Security Protocol works fine
within DoD X.400 or Internet mail systems
- Lotus Notes and Microsoft Mail have security functions. So what?
- Privacy Enhanced Mail (PEM) works fine, but looks ugly, needs a
certificate infrastructure, and doesn't sit well with MIME.
- Pretty Good Privacy (PGP) works fine, can be deployed
anarchically, and doesn't sit well with MIME
- Security Multiparts and MOSS offers PEM-like functionality, but
without requiring a comprehensive certificate
infrastructure, and sits well with MIME.
- S/MIME was defined by RSA and a couple of other companies,
offers a poor solution for signed messages, and is incompatible
with anything else.
None of them are implemented in any large number of commercial
products yet, of course; most vendors would rather wait until the
winner is clear and jump on that; unfortunately, if all companies
follow that strategy, the emergence of a winner will be pretty slow.
In the rest of the speech, I have dropped from consideration all those
solutions that do not work in the Internet mail community, either
because they are proprietary (such as S/MIME) or inapplicable (such as
X.400).
Harald.T.Alvestrand@uninett.no
Last modified: Fri Nov 3 10:40:38 1995