This is something I have been concerned about for a long time. I come
from a mixed protocol background, where SMTP and X.400 are equally
used (yes, that odd in itself, but a different debate!)
I can use PGP today in BOTH environments, and do often. Ditto PEM.
The problem is neither are multi-media, but in todays mail environment
I need something that integrated MIME and X.400. I have not looked at
S/MIME closely, but think it is sufficiently similar to MOSS for the
following to be correct for S/MIME also.
In MOSS, for signed mail, you have two body parts. Both contain
headers followed by textual data. The signature body part, verifies
that the headers and text in the data body part are unaltered. When
you go through a gateway of any kind the text should be unaltered.
Alas, this is not good enough, as the signature is on the headers as
well. Some experiments I have tried, sending such messages through a
RFC 1327 gateway (X.400 to Internet and vice versa) show that, by
chance, the MIME headers are unaltered as well. Consequently, by
chance, the signature will verify.
As it happens, RFC 1327 is be revised at the moment in a
specification called MIXER. What would be great is if MIXER took the
security requirements into account to remove the "by chance" element.
My trials so far have only been for single text body part messages,
looking beyond that full MIME should not bee too hard (except X.400
UAs would need to interpret the MIME, but that should not be too hard
to do - they may have to anyway).
Encrypted messages should work in a similar way.
Consequently, what I am suggesting, is if there is some kind of cross
party discussions, maybe we are just on the verge of finding a
unifying security technology, that works as well for X.400 as for
SMTP. I cannot see any fundamental reason, why MOSS style security
should not be able to cross gateways intact. I'm not sure where we
go from here, but its surely worth contemplation for a while?
Colin