S/MIME
Encyclopedia : S : SM : SMI : S/MIME
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME.
History
S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format.Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specification that is identical in most respects with PKCS #7.
Function
S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption). S/MIME specifies the application/pkcs7-mime (smime-type "enveloped-data") type for data enveloping (encrypting): the whole (prepared) MIME entity to be enveloped is encrypted and packed into an object which subsequently is inserted into an application/pkcs7-mime MIME entity.S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between all of the following (and others):
- Outlook (since 1999? and Outlook 98)
- Outlook Express (since 1999?)
- Microsoft Entourage (since 2004)
- Apple Mail (Since Mac OS X v10.3 Panther)
- Mozilla Mail (all releases after 0.9.7)
- Mozilla Thunderbird (all releases)
- Netscape Communicator (4.x)
- Lotus Notes (since release 5.0)
- Novell GroupWise (since 1998 with the 5.5 release)
- Qualcomm Eudora (since release 7.0. However 7.0 implementation of S/MIME is very deficient.)
- The Bat!
- Mutt (since release 1.5.5i)
- Gnus (with an external extension)
- Novell Evolution (since release 2.0.0)
- Balsa (since release 2.2.6)
- KMail (since release 1.6, integrated in KDE 3.2)
- Sun Java Messaging (in the Web-based client)
- GMail (using Firefox with the [Gmail S/MIME extension])
S/MIME Certificates
Before S/MIME can be utilized in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house CA or from a public CA such as one of those listed below. Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate.) While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.A typical basic personal certificate verifies the owner's identity only in terms of binding them to an email address and does not verify the person's name or business. The latter, if needed (e.g. for signing contracts), can be obtained through CA's that offer further verification (digital notary) services or managed PKI service. For more detail on authentication, see Digital Signature.
Depending on the policy of the CA, your certificate and all its contents may be posted publicly for reference and verification. This makes your name and email address available for all to see and possibly search for. Other CA's only post serial numbers and revocation status, which does not include any of the personal information. The latter, at a minimum, is mandatory to uphold the integrity of the public key infrastructure.
Obstacles to deploying S/MIME in practice
- S/MIME is not properly suited for use via webmail clients. Though support can be hacked into a browser, (as with the GMail plugin above), security requires the private key to be kept accessible to the user but inaccessible from the webmail server, complicating the key webmail advantage of providing ubiquitous accessibility.
- S/MIME is tailored for end to end security. Encryption will not only encrypt your messages, but also malware. Thus if your mail is scanned for malware anywhere but at the end points, such as your company's gateway, encryption will defeat the detector while successfully delivering the malware. Solutions:
- * Perform malware scanning on end user stations after decryption.
- * Store private keys on the gateway server so decryption can occur prior to the gateway malware scan.
See also
- MIME Multipurpose Internet Mail Extensions
- TLS Transport Layer Security, formerly SSL
- E-mail authentication
- Pretty Good Privacy (PGP)
External links
- [S/MIME working group charter] — has links to S/MIME related RFCs and internet drafts.
- [How to forge an S/MIME signature] — critique on some S/MIME implementations.
- [S/MIME IETF Working Group]
- [S/MIME and OpenPGP]
- [E-mail Client Testing for S/MIME Compliance]
- VeriSign's Public Directory (ldap://directory.verisign.com)
Free Certificates
- [Thawte]
- [Comodo] Max 1024 bit keys
- CAcert (not yet in most clients[link], but offers free server certs too)
- [GlobalTrust] (lifetime free certficate)
Non Free Certificates
- [VeriSign Digital ID]
- [Comodo] Max 1024 bit keys
- [GeoTrust MyCredential™]
- [XRamp]
- [IdenTrust TrustID®]
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.