The Emergence of S/MIME

By Tim Matthews, RSA Data Security, Inc

S/MIME has passed the two year mark. The latest addition to the legacy of secure e-mail standards, S/MIME is gaining momentum and appears to be the first that will enjoy widespread adoption. In its short but precocious history, S/MIME has moved from the whiteboard to mass market software packages. Think of it: the ability to send completely private and authentic messages from anywhere to anywhere, no matter what the e-mail package. But the story gets even better. The security features of S/MIME will move electronic messaging into new application areas.

The success of S/MIME arises from the unlikely synergy between convenience and paranoia. While there has not been any recent fundamental innovation in electronic mail, the large and growing number of individuals and companies that are now connected lends e-mail a new aspect. What were once insular communities of users can now reach out beyond the edges of their LANs. Individual users no longer have to fight to connect their systems to the Internet, and are therefore easily accessible. The number of interconnected users online has moved e-mail to a level of convenience on a par with the telephone or fax.

Along with convenience comes a new risk. Messages moving between sender and receiver travel through machines not under their control. The safety of sensitive data cannot be guaranteed, and this is what causes user paranoia.

Electronic mail is effective because it works asynchronously, the way that humans work. The downside is that the user cannot track the message, and this affects a user's confidence. A user does not see a transaction complete. It is not possible to see the message being delivered. A digital means of safeguarding the content is essential for one to have trust in the security the message that has just been released.

Secure messaging is more than just encrypting a message so a hacker cannot read it on the wire. S/MIME enhances messaging by providing digital analogs of things we have now with paper communications. The most important of these is the digital signature. Just like a real signature, digital signatures attest to the identity of the sender of a message. Signatures can even be nested, so a message can be passed along and signed by multiple users (or processes) along the way. S/MIME also provides a means of guaranteeing the integrity of an electronic message -- something needed in a world where all individuality is stripped as message text is converted to fixed width fonts. Modifying just a bit or two could mean a big difference in what gets delivered or how much is paid. The result of using a digital signature is an authenticated message with complete message integrity. Combined with strong encryption, this is a tamper-proof package.

Tamper-resistance with privacy is an appealing and reassuring combination. Stir in one more factor--cost--and the attraction to secure electronic messaging becomes even stronger. Messaging is cheap. The software is easy to understand. The connections already exist. Moving beyond e-mail clients only makes sense. The combination of security and messaging that S/MIME provides is opening new opportunities for the messaging industry.

The first example of this is the Electronic Data Interchange (EDI) community. EDI has traditionally been done over value-added networks, (VANs). VANs provide reliable and secure service, but at a relatively high cost. Using S/MIME, EDI vendors can offer their customers lower cost EDI with excellent security. Users frequently find that connectivity and response time improve as well. CommerceNet has played a critical role in bringing these two fields together, and continues to sponsor the Secure Internet EDI Interoperability Pilot.

Close behind in adoption of S/MIME is an assorted bunch of on-line services. Some aim to provide their business subscribers enhanced services, and find security to be the perfect offering. Others offer a less structured form of EDI under the rubric of electronic commerce. Perhaps the most innovative is a class of on-line services offering what has come to be called "mediated electronic messaging". Something of an amalgamation of all of the above services, mediated electronic messaging services perform a variety of functions on electronic messages. These range from guaranteed delivery and archiving, to timestamping and transaction insurance. While some might scoff at paying for what is essentially already included with electronic mail, these providers point to the difference between the U.S. Postal Service and FedEx. Consumers are willing to pay for extra services.

Applications of S/MIME
The list of new application areas that S/MIME facilitates is long and growing.

Software companies and content providers are initiating secure content delivery via e-mail. Sensitive information like stock portfolios and software updates can be delivered naturally and securely using secure messaging. Many think secure messaging it the right way to do Internet push. Some large institutions are considering secure messaging for their legacy applications so that, say, human resource files could be safely and automatically sent to an individual. Additionally, the transmission of secure patient records anywhere in the world, confidential and only available to authorized parties, is seen as an important area by the health care industry.

The future for S/MIME is bright. In the summer of 1997, Microsoft and Netscape released versions of their Internet mail clients that include S/MIME functionality. Almost overnight, millions of users around the world were given the ability to exchange secure messages. The scale of these two releases cemented S/MIME as a fundamental piece of the Internet infrastructure.

Releasing S/MIME on such a scale requires careful attention to interoperability. For this reason, RSA has established the S/MIME Interoperability Center. This certification program for applications using S/MIME ensures that products displaying the S/MIME seal can interoperate with products from other vendors. Microsoft and Netscape join 10 other companies who have completed, or are completing, the interoperability testing. Notably, the most recent round of interoperability testing includes three non-U.S. software companies.

There is also motion on the standards front. Last December, the S/MIME community had its first working group meeting at the Internet Engineering Task Force (IETF). Publication as an IETF standard will broaden the audience for S/MIME, and encourage the use of secure messaging. The S/MIME community is also looking at integrating S/MIME with other select messaging and application standards. Work to integrate S/MIME with the U.S. government's Messaging Security Protocol (MSP) is already underway.

With all of this momentum, what it next for S/MIME? It seems clear that S/MIME is destined for inclusion as a standard feature in every mail client. The EDI community is forging ahead. Online services are quickly integrating S/MIME features.

The combination of security and messaging will allow S/MIME to move into even more application areas: content delivery, unique online services, health care automation. The power of the mix of security and messaging is that it will finally allow the replacement of many processes that are now limited to paper.

The challenge to the messaging community is to think creatively. S/MIME will be present on millions of desktops. Interested communities like EDI will be moving out products. Standards will be in place. S/MIME presents the opportunity for the true potential of electronic messaging to be realized.

To learn more about secure messaging, attend the "Secure Messaging Technologies" session on Tuesday, April 28 from 2:30-4:00 at EMA'98 in Anaheim, California.