Hey folks! I'm at Worldtalk Corporation and we're contemplating incorporating
S/MIME into our Internet gateway. Tim and Steve from RSA tell me that
there are
a couple of you working on these problems also and said that more help
would be
appreciated (even at this late date), so I hope I can be of some help.
Is it the feeling of this group that all vendors should use S/MIME and
thus the
only thing a gateway has to do is pass the tagged encrypted parts through to a
mail system which will understand it?
Does a remote mail system have to know S/MIME or just PKCS?
In my understanding of S/MIME and MOSS, you basically cannot apply many of
the usual gateway conversions (attachments & data formats) without
seriously compromising security. If you choose the decrypt/encrypt route,
then the gateway must have people's private keys.
The reason, of course, that a gateway would want to do something to the
encrypted part is because there is MIME formatting (e.g., multiple
attachments) in it. I'm sure this has been discussed at length many times
over the years, but it seems this is the trade-off between protecting the
MIME structure of a message and the ability to gateway encrypted messages.
You protect the MIME structure because you don't want people to know the
number, types, and descriptions of the things you are sending. If you
decide only to encrypt the leaves of a message, then you lose some secrecy,
but you gain the ability to have gateways. From my understanding, both
S/MIME and MOSS (and the new PGP draft) have all opted for extra secrecy
with no possibly of gatewaying.
If my logic serves me this morning, this means to have secure interoperable
e-mail with, say, Microsoft mail, Microsoft mail clients are going to have
to understand a little MIME and vice versa (ugh). I hope my logic is
wrong...
Laurence Lundblade <lgl(_at_)qualcomm(_dot_)com>
QUALCOMM,Inc. 619-658-3584