The troubled, yet most popular, e-mail security technology - S/MIME - may find its way onto the Internet standards track after all. But it won't be bearing the corporate flag of long-time chief advocate RSA Data Security Inc.
RSA has formally renounced trademark and change-control rights to the Secure Multi-purpose Internet Mail Extensions (S/MIME) specification. This renunciation removes what had been a sticking point for S/MIME in terms of being granted an Internet Engineering Task Force working group.
The IETF in August had all but tossed out S/MIME and criticised RSA's attempt to establish the security specification as a standard. The standards body also continued to collect license fees and maintain tight technical control.
Although S/MIME is appearing in a growing number of major e-mail and EDI products, the absence of a formal security standard is seen as exacerbating interoperability issues that have dogged early S/MIME implementations.
"With RSA out of the picture," e-mail vendors who are anxious to see an "open" security standard adopted will modify S/MIME and try to rehabilitate it in the eyes of the IETF, according to Paul Hoffman, director of the Internet Mail Consortium (IMC). IMC is facilitating that effort with input from its membership.
RSA welcomes the effort, according to Tim Matthews, a company product manager. Portrayals of RSA as an impediment to the S/MIME standards effort have been inaccurate, Matthews says. He adds that the trademark renunciation was a formality that had long been planned.
Meanwhile, an IETF working group has been established to push a competing e-mail security technology from Pretty Good Privacy, called Open-PGP. There is a possibility bothOpen-PGP and S/MIME could eventually become standards, according to experts.
"Even if we don't get an S/MIME working group [granted by IETF], we still will work on an open S/MIME that could get on a standards track," Hoffman says.
Trademark ownership and standards disputes aside, RSA continues to beat the S/MIME drum. The company will host an event called "S/MIME Live" on Oct. 31 in San Francisco todemonstrate interoperability between S/MIME-enabled products from RSA, Lotus, Netscape, Novell Inc., Worldtalk and others.
The uncertainty over e-mail security standards has left vendors and their corporate customers in a quandary.
"The debate is making it difficult for us to make informed plans," says Paul Levesque, a systems engineer at Lockheed Martin.
Microsoft., for example, has added support for S/MIME to its Internet Explorer 4.0 Web browser and plans the same for an upcoming version of its Outlook e-mail client. But the company is mindful that Open-PGP may eventually win the IETF's blessing.
"We have the ability to quickly make a decision to add PGP, should that become necessary," said Scott Gode, product manager at Outlook.
While S/MIME and Open-PGP both have advocates, most corporate customers are simply hoping one or the other will gain the IETF's blessing.
"It really doesn't matter, as long as they get some kind of a standard,"says Sam Scott, lead system programmer at Pier 1 Imports, in Ft. Worth, Texas.