Dear PEMers,
I have been asked to give a brief talk on PEM at the
6 June 94 Computer Professionals for Social Responsibility
conference, apparently as a replacement for someone else.
Even after hurriedly poring through my accumulated pem-dev
mail, I am not confident I'm up-to-speed on PEM.
Below is a draft outline of what I am planning to say.
I would appreciate it if you'd give me any comments you have
on the draft of this 10-minute "non-technical" talk.
Thanks to Jeff Thompson for info on MIME/PEM.
Thanks!
Mark R. mrr(_at_)ripem(_dot_)msu(_dot_)edu
---------------------------------------------------------------
An Introduction to Privacy-Enhanced Mail
(Draft outline by Mark Riordan 1 June 1994)
Internet PEM is a particular standard for encrypting and/or
signing email messages. Described in documents known as
Internet Requests for Comment 1421-1424.
PEM provides confidentiality, authentication, message integrity
assurance, and non-repudiation of origin. Standards describe
algorithms, means of representing encrypted messages, and means
of validating keys.
Typically, PEM involves public key cryptography using RSA. Data
encrypted with DES and digested with MD5. (Though technically
other algorithms meet the standard.)
PEM may be integrated into a mail program, or a user may invoke
a PEM encryption program to create a secured message, then use a
non-PEM-aware mail program to send the secured message.
Concept of certificates: A document containing a someone's
public key, and a digital signature from someone you trust
assuring you this is really the right key for this person.
[Ignore CRL's; this is probably too technical already.]
Show a PEM message. Very briefly explain layout of message.
Implementations:
Apps:
TIS/PEM and T-Mail (Trusted Information Systems) Unix
TechMail-PEM (MIT) Mac
RIPEM (Several private developers on the Internet) Mac
SECURExchange (Datamedia) PC/Mac
Several in Europe Probably Unix-only (?)
Others?? There must be many others, given TIPEM, etc.
Toolkits:
TIPEM toolkit (RSADSI) Various
RSAREF toolkit (RSADSI) Various
Still, PEM is not widely implemented or used. Changes to the
standard are under consideration.
Barriers to widespread use of PEM:
* Non-text messages not addressed.
* No means of obtaining someone's public key.
* Use of certificate issuer and serial number to identify users
is awkward, limits audience.
* Certification hierarchy not flexible enough for all users.
May require too much administration or expense.
* Essential algorithm, RSA, is patented.
Work is underway to propose email encryption standards that
address some of these issues. Incorporation of PEM-like
security into MIME (Multipurpose Internet Mail Extensions)
standards will:
* Allow arbitrary data to be encrypted and sent by email.
* Allow specification of a recipient by name or email address,
in addition to certificate-based identification.
* Allow for retrieval of a someone's public key (certificate) by
email.
* Allow for non-hierarchical, web-of-trust, multiple-rooted
network of trusted signers. Individual user specifies who is
trusted.
Challenge for PEM is to gain widespread acceptance. For email
security to be widely used, a single standard must emerge to
which many email service providers will conform. This standard
must address enough needs, and become visible enough, to attract
a majority of developers and users. With luck, PEM may become
that standard.