ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

DOMSEC

2001-04-17 14:43:30
from [Ron Segal] [Permanent Link] 
Hi Folks

This is in response to a message (reproduced below) from Anders Rundgren re
DOMSEC products and certificates, which was forwarded to me by a government
user of our products.

1. Any working implementations?

We supply a product called MailMarshal Secure, which is an e-mail gateway
that implements S/MIME domain security.  The product is being used by New
Zealand government agencies to sign and encrypt e-mail messages being sent
between agencies via the Internet.  The messages are signed/verified and
encrypted/decrypted by the gateway itself using domain certificates.  This
means that messages coming into a gateway can be content and virus checked
before being passed-on to the recipient behind the gateway. The gateway
incorporates a flexible rules engine that can decide the circumstances in
which to sign and/or encrypt messages, or indeed whether to block sensitive
messages, perhaps being sent to a list containing addresses with unsecured
links.  The product is manufactured in New Zealand and sold worldwide.  I
can provide further information if anybody is interested.

2. A possibility to send me an entire DOMSEC-compatible S/MIME container.

Yes, I am sure that we can arrange to send you a signed-message from a
MailMarshal Secure gateway.

Q1. If an e-mail server is not set-up for DOMSEC will the end-destination
still get the message without interoperability problems.

Presumably this depends on the e-mail server. Exchange by default of course
strips signatures from messages.  It doesn't matter with the MailMarshal
Secure gateway, which logically sits between an SMTP e-mail server and the
firewall.  Messages passed to the e-mail server from the gateway are
unsigned, in the clear, so the issue does not arise. The gateway itself is
(optionally depending on rules configuration) able to annotate or 'stamp' a
message to indicate a correct signature or otherwise.  The gateway can also
pass through signed/encrypted messages, from a desktop say, providing the
rules are configured to enable pass through.

Q2: Are there any TTPs issuing suitable certificates today in the same way
as they do for Web (domain)-servers?

We are New Zealand's first public Certification Authority.  We have been
providing certificates to enable the MailMarshal Secure gateways being
deployed by the NZ government to be authenticated.

Q3: Couldn't a single certificate actually serve both of these purposes?

Yes, the certs that we supply for use by gateways are our standards
compliant X.509 v3 SSL server certs (the same ones that we supply for secure
web servers).  These are configured to adhere to the DOMSEC naming
standards, that the Common Name must be 'domain confidentiality authority'
and e-mail address must be domain-confidentiality-authority(_at_)domain(_dot_)

I hope that this information is useful and not too salesy. We helped to
design MailMarshal Secure and are enthusiastic about it as a product.  By
the way the gateway can also handle signed/encrypted mail to/from S/MIME
desktops.  It does this by implementing what I think is a unique mechanism
of using 'proxy certificates'.  A proxy certificate is generated by the
gateway for each user that wishes to send a signed message.  Proxy certs are
all signed by the gateway's common private key but contain the end-user's
e-mail address so that an S/MIME desktop will correctly verify the address
in the cert against sender's address (in this case of course the whole
address being checked, not just the domain).  The use of the gateway private
key enables the gateway to do the signing and also to decrypt messages
encrypted using proxy certificates.  In effect this provides the means for
an organisation to send signed e-mail messages as a transparent service,
i.e. from desktops that do not support S/MIME and without user intervention.

If anybody would like further information please contact me at
ron(_dot_)segal(_at_)baycorpid(_dot_)com

All the best

Ron


Hi
I think DOMSEC is a very powerful concept but it does not seem to be widely
adapted
and the S/MIME-list contains almost no discussions.

What I wonder if you out there have:

1. Any working implementations

2. A possibility to send me an entire signed DOMSEC-compatible S/MIME
container

Technical questions regarding DOMSEC:

Q1: If an e-mail server is not set-up for DOMSEC will the end-destination
still get
the message without interoperability problems?

Q2: Are there any TTPs issuing suitable certificates today in the same way
as they do for Web (domain)-servers?

Q3: Couldn't a single certificate actually serve both of these purposes?

Regards
Anders Rundgren
X-OBI

--------------
Ron Segal
Business Development Manager
Baycorp ID Services Ltd
PO Box 5052, Wellington, New Zealand

Mailto: ron(_dot_)segal(_at_)baycorpid(_dot_)com
Tel:   +64 (4)  499 4231
DD:    +64 (4)  499 4261
Mob:   +64 (21) 678 009
Fax:   +64 (4)  499 4233
Web:   http://www.baycorpid.com


If you received a warning on reading this email, please go to
<http://www.baycorpid.com/settings/email.asp> to update your settings

Attachment: Ron Segal.vcf
Description: Vcard

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • DOMSEC, Ron Segal <=
Previous by Date:  RE: DOMSEC anybody?, William Ottaway
Next by Date:  RE: S/MIME version number, Peter Gutmann
Previous by Thread:  Your Choice, Sam T. Stone
Next by Thread:  Re: Revised section 2.5 of draft-ietf-smime-x400transport-01, Russ Housley
Indexes:  [Date] [Thread] [Top] [All Lists]