RSA losing email standard fight

An international body responsible for adopting an Internet email standard dismisses a proposal by RSA Data Security and considers technology from rival PGP.

3 min read
The global effort to create a common protocol for encrypting email is getting turned on its head.

The Internet Engineering Task Force, an international body responsible for adopting Net standards, has dismissed a specification created by RSA Data Security and instead is considering a technology from RSA's archrival, Pretty Good Privacy.

"The truth is that S/MIME is out, as far as the IETF is concerned," said John Noerenberg, chair of the proposed working group considering the PGP technology for the task force.

S/MIME, a spec for encrypting and decrypting email, is based on patented technology and trade secrets owned by RSA. Noerenberg said RSA's claims to ownership of both the technology and the S/MIME trademark soured the task force on the specification.

"If the IETF had proceeded with S/MIME as a standard, anybody who intended to implement it would be required to license it from RSA," added Noerenberg, who is also director of technology at the Eudora division of Qualcomm, a company that entered into a licensing deal with PGP six months ago. "This is an onerous restriction because it essentially creates a monopoly."

Now that RSA is out of the running, PGP is attempting to fill the void by submitting a specification based on a popular technology known as the Diffie-Hellman key management system. Patents on the technology will expire next month.

The group backing the specification, dubbed Open PGP, recently submitted a proposed charter that will be voted on within the next two weeks, said Jeff Schiller, who heads up security issues for the Internet standards body. He said the IETF would announce by next month whether the Open PGP working group will be accepted.

Once the working group is approved, Open PGP could become an official standard within two years, Noerenberg said. An open standard would allow Internet users to seamlessly exchange encrypted email with people using different programs. Currently, incompatibilities between programs often make that impossible.

Because PGP will claim no proprietary rights to its technology, the chances that Open PGP will become an official standard are high, according to Charles Breed, PGP's director of technology.

"In order for this thing to take off, you need an open, unencumbered specification," he said. "Now the industry can stand back and say the standard isn't controlled by any one company."

But Steve Dusse, RSA's chief technology officer, disputed whether the standard would truly be in the public domain even if PGP makes no claims to its ownership. "I would be fairly well convinced that there are [third-party] patent holders who will claim coverage over" technologies used in Open PGP, he said.

Dusse also insisted that S/MIME is still in the running, saying that it hasn't even been submitted to the standards body yet.

Schiller said that the group proposing the RSA standard missed its July 1 deadline to submit specifications and that it's all but sure that S/MIME is stillborn.

"If I can be convinced that they didn't understand the nature of the deadline, I could be flexible," Schiller said. "I would say right now that the likely scenario is that the IETF is going to move to something more like PGP than RSA."