Vendors work for one e-mail protocol

Security vendors are working to merge two security standards for electronic messaging that would make it easier for military and civilian agencies to send secure electronic mail to each other.

For years there have been several competing standards to secure e-mail but none of these could interoperate with the others. However two standards the Message Security Protocol (MSP) used by the Defense Department on the Defense Message System and Secure Multipurpose Internet Mail Extensions (S/MIME) used by civilian agencies have become the most widely used security standards.

But the two protocols do not interoperate which means if a DMS user wants to send secure e-mail to a user outside the department the message must first go through a gateway that "interprets" the message and strips off the security. The effort driven by private industry to create a single protocol for commercial and government secure messaging would add MSP services to S/MIME and would make it easier for companies to develop and support products.

Government users will benefit because it will simplify communications between DMS and non-DMS users by increasing interoperability and it will expand the number of products they could choose.

The National Security Agency said it "strongly" supports the goal of producing a single security protocol for e-mail although it said it is still too soon to tell whether it will recommend the merged standard or not."A single security protocol that meets the requirements of government military and commercial users in both [Simple Mail Transfer Protocol] and X.400 environments will provide benefits to developers and users " NSA noted in a written statement.

"Developers will not have to choose between two different protocols to satisfy different user needs. Users will...more likely...be able to interoperate with each other at the protocol layer and should have more products to choose from when buying " the statement noted.

Marion Royal telecommunications specialist in the General Services Administration's Center for Electronic Messaging Technologies agreed that a convergence would be beneficial to users. "This is something we need now " Royal said.

The problem today is that users must trust the server to recognize and change an MSP or S/MIME encrypted message accordingly something that users are not completely comfortable with particularly if a third party manages the gateway he said.

MSP is more secure than S/MIME but S/MIME is more widely supported in the commercial world said Brian O'Higgins executive vice president and chief technology officer at Entrust Technologies which is involved in the standards effort. MSP and S/MIME encrypt and digitally sign an e-mail message."The question is: `How can we make S/MIME better?' " he said. "In a few years S/MIME will look like MSP."

The next version of S/MIME will contain four new features currently found in MSP: security labels which are labels attached to the message such as Top Secret return receipts which prove a user received an e-mail message and that it was not changed en route support for mail lists which allows a user to offload encryption processing to a server for large distribution and support for key management techniques beyond RSA Data Security Inc.

"Because of those features S/MIME should be interesting to government users " O'Higgins said. "They don't want to be stuck on an island and realize that they can't interoperate with anyone."

Key players in this effort are Spyrus J.G. Van Dyke and Associates Xerox Corp. Demming RSA Data Security Internet Mail Consortium and Entrust Technologies.

The next step said Russ Housley chief scientist at Spyrus and one of the authors of MSP is to write the documents that explain the changes proposed to S/MIME and release them to a broader audience for comment. There is a workshop later this month sponsored by RSA Data Security which owns the S/MIME specification on part of the recommendations.

The official standards effort will begin when an Internet Engineering Task Force S/MIME working group is formed and a chairperson is selected which could happen as early as August according to NSA. A final standard could happen in about a year although it is unclear whether it will be an official or a de facto standard.

But when the final standard is developed "doesn't matter because the effort to merge [the two protocols] will happen anyway " O'Higgins said.