|
Dear Catherine,
Encrypted e-mail using S/MIME is in spite of an
obvious need, probably (from a
deployment perspective) the least successful widely-known security
standard ever.
However, in case you rather want to secure the
messaging between a limited set of organizations, there is an alternative fully
supported method called STARTTLS. It in effect opens a TLS encrypted
channel between the sending mail server and the receiving mail server. If
you in your mail server checks the TLS server certificate returned, you can in
addition to the encryption also verify that you really are talking to an
authentic server.
The advantage of this is that you with limited work
on the server-side (only), can enable org-to-org security:
- without having to deploy client-side PKI
(you got it, but how about the other parties?)
- without having to teach people on how to use
encryption (its on by default between the selected parties)
- without bypassing server content control of
outgoing messages (a policy issue)
- without bypassing server controls incoming
viruses etc. which is a very bad side-effect of end-to-end
encryption
It may be of interest to know that a signing scheme
using similar ideas is in the workings called DomainKeys Although this is
the 6:th (!) IETF effort to create secure e-mail, I believe that this time
they are on the right track as the security architects (finally) have
realized that e-mail actually is a two-dimensional identity (name@domain) structure and that security
should be designed accordingly.
regards
Anders Rundgren
PKI Architect etc. (working for a major computer
security company but the views expressed here are my own and does not
necessarily represent that of my employer)
----- Original Message -----
Sent: Thursday, January 06, 2005
01:28
Subject: [pki-tc] Extranet S/MIME?
Hi All,
I'm seeking expert opinions and recommendations how to
support S/MIME communications in an extranet. Specially, decrypting an
encrypted email from another company, i.e., the recipient needs to get hold of
the certificate of the email author’s. Does that mean, there needs to be an
extranet directory service to facilitate obtaining certificates? If not, what
service needs to be setup to facilitate that?
Thank you in advance,
Catherine Li
CAST PKI Development
Wells Fargo Services
Office: 415.243.6228
Fax: 415.975.6780
MAC: A0186-056
Email: licather@wellsfargo.com
This message may contain confidential and/or
privileged information. If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy, disclose, or take any
action based on this message or any information herein. If you have
received this message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your
cooperation.
|