IETF drops RSA secure email proposal, takes up with PGP

Everything you knew about email security standards is wrong. The odds-on favorite email security technology - RSA Data Security's S/MIME - is suddenly out of the running as an IETF standard, having basically been booted off the Internet Engineering Task Force standards track because of RSA's business practices. This throws email security into disarray because the Secure Multi-purpose Mail Extension has been or will be implemented in high-profile products such as Netscape Communicator 4.0 and Microsoft Internet Explorer and Lotus Domino.

The odds-on favorite email security technology - S/MIME - is suddenly out of the running as an IETF standard.

The specification, based on technology from RSA Data Security, has basically been booted off the Internet Engineering Task Force standards track because of RSA's business practices.

Jumping into the race is RSA rival Pretty Good Privacy Inc. (PGP), which is pitching an email security specification called Open PGP. The company has promised it will put the specification in the public domain, giving authority over change to the IETF.

This throws email security into disarray because the Secure Multi-purpose Mail Extension already has been or will be implemented in high-profile products such as Netscape Communicator 4.0 and Microsoft Internet Explorer. It is expected to be included in other products such as Lotus Development Corp.'s Domino.

Email security technology has become a vital element for such products because customers are increasingly using e-mail to exchange important business information.

The setback stems from a recent IETF meeting in Munich. At the meeting, IETF Security Area Director Jeff Schiller, the referee on all security matters, essentially tossed S/MIME out of the game.

He said the fact that users haveto pay licensing and royalty fees to RSA to developan S/MIME product eliminated it from becoming an IETF-blessed standard.

"You shouldn't have to purchase technology from a proponent of a standard," said Schiller, who is manager of network services at the Massachusetts Institute of Technology.

A number of important items, such as an official charter for the planned Open PGP Working Group and possibly having PGP sign legal papers relinquishing change control on its technology, still need to be ironed out. But it appears likely that Open PGP is in and S/MIME is out at the IETF.

Charles Breed, PGP's director of technologies, said the Open PGP framework for public-key certificates, encrypted messages and digital signing will rely on the Diffie-Hellman key-management patents, which are held by Stanford University and managed by Cylink Corp.

Invented by crypto legends Whitfield Diffie and Martin Hellman at Stanford, the public-key technology will be available Sept. 6, which is when the 20-year patents expire.

In the midst of this setback for RSA, there is growing evidence that RSA's S/MIME interoperability tests for S/MIME products have been less than a success.

In the RSA-reviewed testing, vendors test their products against a single S/MIME reference implementation supplied by Worldtalk, Inc. But S/MIME products are not being tested against each other directly.

Although Communicator 4.0, now shipping, and Internet Explorer 4.0, which is still in beta, both passed RSA's S/MIME interoperability tests, they do not work together. According to several sources, the two products can exchange encrypted mail, but they can-not check each other's digital signatures.

"There's been a misunderstanding," said Steve Dusse, RSA's chief technology officer. He said Microsoft and Netscape pulled a "bait and switch" in which the software each submitted that passed the tests was changed in the products that appeared on the market.

"By the time Microsoft released their S/MIME product, it had deficiencies," Dusse said. "The problem on the Netscape side was introduced between the beta and the final release."

RSA said it believes Microsoft and Netscape are fixing the problems so that the final Internet Explorer 4.0 and Version 4.02 of Communicator will be interoperable in S/MIME. RSA now wants to test final products, not beta code.

About a half-dozen S/MIME products are now on the market, including those from Frontier Technologies Inc., ConnectSoft Inc. and Worldtalk.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]