World
Electronic Messaging
Association
Challenge '99/2000
(Originally published in Messaging Magazine, March/April 1999)

By Paul Evans, Paul Evans & Associates and Michèle Rubenstein, U.S. Treasury

Today, businesses and consumers have been limited to only a fraction of potential capabilities of electronic messaging and Internet-based technologies. That tiny fraction has delivered significant advances in speed, effectiveness and economy. But truly astounding leaps forward remain outside our current reach. Businesses and consumers are limited in further advances until pivotal issues of identity, confidentiality, privacy, trust and authority are satisfactorily answered.

Challenge ‘99/2000 is an effort of the World Electronic Messaging Association (WEMA) to help resolve these impediments. WEMA will do so via demonstration of a standards-based, secure, global Electronic Commerce (EC) environment featuring a Public Key Infrastructure (PKI) that is interoperable across different CAs.

The Challenge is evolving and growing. It is a series of events, which will begin with organizing at the EMA annual conference in Dallas on March 30-April 1, 1999, and exhibits at other venues both in and outside the United States. The Challenge is taking on issues of significant complexity, and early experiences have demonstrated that the schedule needed to be extended. Organizations continue to join the Challenge and others are welcomed and encouraged to get involved.

Challenge ‘99/2000 will document the major business benefits for secure EC and secure electronic messaging, and how businesses and consumers can advance far beyond today’s accepted business practices. Among the capabilities Challenge ‘99/2000 will demonstrate will be how the business value-chain can be radically shortened and how secure, trusted business relationships can be formed in near-real time.

The Objectives of Challenge ‘99/2000 are as follows:

• To model a scalable, global, standards-based PKI that is fully functional and is transparent to users.
• To educate participants in and raise awareness of the issues of a multi-domain PKI in order to move them further along the learning curve.
• To demonstrate the use of a multi-domain, cross-certified PKI in support of critical business transactions.

The foundation applications to be supported over this PKI-based secure EC infrastructure are electronic messaging and the Web. Both messaging and Web environments can become truly secure EC-enabled environments through the use of digital certificates which are signed by a trusted authority. From WEMA’s perspective, approaching this issue is the next logical step following previous messaging and directory interoperability "challenges."

Organizing at EMA’99 in Dallas, TX, and with the goal of exhibiting at other WEMA events into the year 2000, Challenge ‘99/2000 intends to provide a comprehensive demonstration floor for all members to witness and participate in a well-defined, secure EC and messaging environment. This demonstration is largely intended to showcase two critical elements of a PKI:

1. How CAs work together in a multi-domain environment, and

2. How key management issues are identified and resolved.

The Challenge is providing participant user organizations, vendors, consultants and systems integrators a range of benefits. For example, user organizations are broadening the range of trading partners they can do electronic business with by creating a security infrastructure which runs over the Internet. Vendors are working to make the technology viable and capable of being fully deployed, thus reducing the perception that secure EC technology is still too immature to be deployed in a production environment. Consultants and systems integrators are acquiring unique, marketable hands-on skills.

In general, the complexity involved in deploying a truly global, interoperable secure EC and messaging environment has been perceived as overly formidable—both technologically and procedurally. The World Electronic Messaging Association (WEMA) has joined the individual messaging associations together in order demonstrate the viability of global electronic commerce. Under the scope of a WEMA interoperability challenge the intent is to capitalize on improved product capability and the heightened interest in the messaging community in the area of secure EC.

WEMA understands a true multi-domain EC infrastructure takes years to develop fully. However, Challenge ‘99/2000 identifies a critical subset of that effort which can be accomplished within the next year and a half. Work is proceeding toward demonstrations at other WEMA and non-WEMA events in the U.S., Europe, Japan and Asia/Oceania.

One of the principle drivers behind Challenge ‘99/2000 is the desire to enhance the level of security provided in EC applications.

Lastly, and perhaps most importantly, Challenge ‘99/2000 should provide an excellent opportunity for users to identify critical interoperability issues which vendors must meet in order to enable truly secure end-to-end messaging and business Web solutions. In conjunction with this, Challenge ‘99/2000 is an opportunity for vendors to work together towards the common goal of solving technical issues and showcasing the improved stability and usability of their products.

The Challenge Mission Statement:
Challenge ‘99/2000 is a forum for users and vendors to overcome interoperability barriers while advancing EC solutions such as secure electronic messaging and Web access. This EC infrastructure is to be deployed on an open, standards-based PKI and demonstrated publicly at WEMA events.

To this end, Challenge ‘99/2000 will be comprised of the following components:

EC infrastructure and demonstration platform consisting of:

• network components
• messaging servers
• Web clients and servers
• directory and database repositories
• security-enabled messaging clients
• a PKI comprised of multiple CAs running different Certificate Management System products.

The Challenge includes a project team consisting of a broad range of users and vendors working together to assure interoperability.

Demonstrations of Interoperable Security
Currently, the Challenge aims to demonstrate a range of scenarios involving secure messaging, Web access, EC functions and, possibly, virtual private networking.

The demonstration floor will provide an avenue for attendees to register with one of several participating CAs. This registration will result in the generation of at least one identity certificate signed by the CA for the attendee. A second certificate may be issued so that one may be used for signatures and the other for encryption. The participants’ keys will be provided to them on portable media (diskette or smart card).

For secure messaging, attendees could access a message system and directory service, retrieve other participants’ public certificates and send, encrypt, and sign messages. In addition, they will be able to verify the validity and authenticity of the certificates used in the message exchange. The secure messaging demonstration may include message-enabled e-forms, to mimic some simple, standard business transaction such as a purchase order, invoice and the like.

For Web access, the participant will be able to strongly authenticate to participating Challenge Web servers—with the Web servers authenticating themselves back to the client. Many of the Web servers will have been certified by CAs different from those of the participants, in order to demonstrate interoperability. EC and virtual private networking functions will be demonstrated in similar fashion.

At the end of the demonstration, the participant will get a fact sheet showing what they did and how it was accomplished. This fact sheet will also provide a description of how such a transaction would have been performed using today’s standard methods (including, phone, fax, mail, e-mail and more) and associated costs. It will then contrast this to the cost of the transaction using a secure interoperable PKI.

Components of the Challenge ‘99/2000
The Challenge demonstration infrastructure will be comprised of several interoperable components, ranging from Certificate Management Systems to network components, as described below.

Certificate Management Systems
Certificate Management Systems provide critical tools for many of the activities required of a PKI. These activities include, but are not limited to, the following:

• user identity validation
• public and private key pair generation
• certificate generation and signing
• managing certificates in a directory
• performing certificate revocation, publishing certificate revocation lists (CRLs), and providing certificate status validation.
• key and certificate distribution
• managing CA certificates and cross-certificate pairs

Challenge ‘99/2000 endeavors to include as many different certificate management systems as possible, as this is one of the most important areas of interoperability to be demonstrated. Each CA may potentially use different signature and encryption algorithms, with information stored within the certificate functioning as the indicator to the PKI software.

CAs
CAs are organizations running certificate management systems and functioning in a service provider role (either public or private). A Certificate Authority is a trusted third party whose digital signature in a user’s certificate amounts to trust in the validity of the certificate.

The Challenge ‘99/2000 infrastructure will be comprised of several independent CAs, who will each cross-certify all other participating CAs in order to build a trusted environment. CA services can be provided by user organizations, service providers, or even vendors.

Certificate Repositories
Once certificates are generated by the cert-management system and signed by a CA, they must be stored in a readily accessible repository. Typically, such a repository is a directory service. The basic requirement for participating directory services is that they support two important features:

1. X.509 v3 certificates
2. Lightweight Directory Access Protocol (LDAP) (either v2 or v3) for certificate storage (by the CA/cert-management system) and retrieval (by messaging/EC clients).

As part of its interoperability showcase, the Challenge infrastructure will contain many different directory services from many vendors, all storing X.509 v3 certificates, which are retrievable via LDAP-enabled messaging clients. In addition, some directories may participate in replication using either X.500 Directory Information Shadowing Protocol (DISP) or vendor-specific flavors of LDAP replication.

Messaging Servers
Messaging servers that support Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP4), X.400 and P7 protocols will be used as the EC message delivery vehicle for the demonstration. Messaging servers from many different vendors will be included in the infrastructure.

Secure Messaging Clients
Messaging client interfaces are used by participants for the following purposes:

• retrieve public certificates from the directories via LDAP or DAP
• encrypt message body contents with public keys stored in the certificates
• sign messages with private keys
• submit signed and/or encrypted messages to the SMTP or X.400 messaging servers
• retrieve signed and/or encrypted messages from the message stores
• decrypt message contents using recipient’s private key
• verify signature using sender’s public certificate and key.

Where possible, the messaging clients will be incorporated within mail-enabled electronic forms that function as standard transaction forms (e.g., purchase order, invoice, etc.). In these cases, the e-forms will use the underlying desktop messaging clients to perform the activities above. The Challenge ‘99/2000 infrastructure will include messaging clients from different vendors as part of the overall interoperability exercise.

Secure Web Servers and Clients
Secure electronic messaging is only one component of emerging Electronic Commerce environments. Additional interest is centered on using PKIs to provide Web client and server authentication, in order to validate the identity of Web users and servers. Therefore, the Challenge ‘99/2000 PKI will also support Web client and server authentication as part of the overall EC infrastructure.

Web client and server support will leverage much of the same PKI management and usage functions provided by the PKI for secure electronic messaging, namely:

• user identity validation
• Secure Sockets Layer/Transport Layer Services (SSL/TLS) key generation for Web users and servers, with potential support for other protocols such as Secure Hypertext Transfer Protocol (S-http)
• key distribution
• certificate management, including certificate signing and revocation
• cross-certification of Web CAs.

As is normally done today, encrypted sessions will be created once the Web clients and servers have successfully authenticated each other. Web client and server software from many different vendors will be included in Challenge interoperability testing.

Additional information can be found at: www.ema.org/challenge99.   MM

      
Back to Table of Contents