Hey folks! I'm at Worldtalk Corporation and we're contemplating
incorporating>>>S/MIME into our Internet gateway. Tim and Steve from RSA tell
me that>>>there are>>>a couple of you working on these problems also and said
that more help>>>would be>>>appreciated (even at this late date), so I hope I
can be of some help.
Is it the feeling of this group that all vendors should use S/MIME and
thus the>>>only thing a gateway has to do is pass the tagged encrypted parts
through to a>>>mail system which will understand it?
For what it is worth, GTE is trying to cope with a Tower of Babel caused by a
proliferation of proprietary and SMTP mail packages, including a legacy X.400
'84 system left over when we sold off Sprint and Sprint Mail. Even with the use
of gateways, we can't reliably cope with enclosures sent between different
parts of the company. The problem has now escalated to Very Senior Management.
My recommendation to the task force was that we adopt the following position:
1. Standard SMTP only. No proprietary mail packages, and no X.400 either.
2. Corporate-wide implementation of a full-featured MIME to handle enclosures.
3. Corporate-wide implementation of MOSS, NOTrepeat NOT S/MIME, to handle
end-to-end encryption and digital signatures.
4. Corporate-wide support of X.509 version 3, including a GTE Certification
Authority.
5. Corporate-wide implementation of X.500 within all e-mail systems (and other
MAPPI-compatible systems) to handle certificate distribution, corporate
directory information including e-mail addresses, and profile information
regarding word processor versions, etc.
The reason for recommending MOSS rather than S/MIME was that I have been
convinced by the arguments of Ned Freed and others that the security multiparts
approach to handling MIME securely is much superior to the approach taken by
S/MIME.
Other than that, I don't care terribly much. I would prefer the approach to
defining encryption and signature blocks that is used in PKCS, especially if
they update PKCS to include X.509 v3 compatibility, and I'm not at all fond of
the PGP-like key management capabilities that the MOSS folks insisted on
including. So S/MIME would be quite acceptable, but only if they adopt the
security multipart scheme for MIME, AND if they include X.500 support (which
also applies to MOSS).
This is not a formal RFI, but one may be forthcoming. The number of systems
that would be involved are on the order of 80,000, and the platforms that must
be supported include Windows (pick your flavor of the month), Macintosh, and a
variety of Unix systems (Sun, HP, lots of others). We might also be interested
in marketing such systems to our telephone company customers (and others), and
we have more of those than any of the RBOCS.
Laurence Lundblade <lgl(_at_)qualcomm(_dot_)com>
QUALCOMM,Inc. 619-658-3584
As a hint, QUALCOMM's Eudora package is the standard at GTE Labs (but nowhere
else). When we mentioned PEM several years ago, the response was "we're going
to do X.500, but why on earth would we want to support anything like PEM?" Now
when we mention the subject, they say "we're implementing S/MIME, but why on
earth would we be interested in supporting X.500?"
Customer requirements, perhaps?
If anyone has something remotely approaching these requirements, or might be
interested in co-developing something with us, please drop me a note.
Bob
Robert R. Jueneman
GTE Laboratories
1-617-466-2820 Office
1-508-264-0485 Telecommuting