CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

RSA lobbies for S/MIME standard

The company launches a campaign designed to make its security protocol for electronic messaging the market's de facto standard.

Pushing its flavor of secure email, RSA Data Security launched a campaign today designed to make its S/MIME security protocol for electronic messaging the market's de facto standard and to win the official blessing as an Internet standard, too.

The company said today it has applied to the Internet Engineering Task Force standards body to establish S/MIME as an IETF standard. The move gets S/MIME back on the IETF's security track after it was derailed July 1 in what RSA calls a "miscommunication."

S/MIME is based on a combination of the standard MIME specification and the intervendor Public-Key Cryptography Standards (PKCS), considered to be one of the most widely implemented commercial cryptographic standards in the United States.

S/MIME had fallen off the IETF standards track in part because it requires the licensing of RSA's algorithms. A separate IETF group is working on making OpenPGP, from RSA rival Pretty Good Privacy, a secure email standard, too. IETF could endorse both S/MIME and OpenPGP, leaving it to vendors to decide whether to support one or both.

S/MIME, pushed by RSA's testing for interoperability, is used by a number of vendors, including Microsoft, IBM, Netscape Communications, and VeriSign. It allows vendors to develop RSA-based security for electronic messaging products so that a S/MIME message encrypted with one vendor's application can be decrypted on that of another.

At a RSA event today, VeriSign, the chief provider of digital certificates for the Internet, unveiled new services designed to drive broad usage of the S/MIME protocol. Digital certificates function as electronic identity cards for the Net.

VeriSign unveiled a new Web directory service so users can easily look up the digital ID of a person with whom they want to correspond. Based on LDAP (lightweight directory access protocol), the directory service lets Microsoft Outlook and Netscape Messenger email software users obtain another person's digital certificate within their email application.

VeriSign also has launched a Web site where those using other secure email software can look up more than 1 million users' digital certificates in VeriSign's database.

Anil Pereria, VeriSign's vice president of marketing, said, "As the Internet takes off as a platform for electronic commerce, eventually email will be key to securing communications for stock brokerages, banks, and so on. The key to that has to be confirming messages."

Stratton Sclavos, VeriSign's chief executive, said interest in buying the company's $9.95-per-year digital IDs has surged since the recent release of new email software in Microsoft's and Netscape's latest Web browsers. Both email products give users a free 60-day trial digital certificate.

Netscape also uses VeriSign digital IDs to control access to its secure extranet for its partners that develop software for Netscape's platform.

In other S/MIME news today, Entrust Technologies, which markets certificate authority software so companies can issue their own digital certificates, said a new version of its Entrust/Web CA software now can issue S/MIME certificates.

Irish security firm Baltimore Technologies also demonstrated secure email software that incorporates a "key recovery" system. Key recovery is pushed by U.S. security company Trusted Information Systems as a method to recover cryptographic keys that are lost or to view encrypted information under a government order.

Baltimore and TIS are expected to develop a commercial secure email product based on the key recovery technology.

In Japan, a new S/MIME consortium was formed by a group of 12 Japanese manufacturers, resellers, and distributors of secure messaging systems, plus RSA and VeriSign, to promote S/MIME in Japan.

In another S/MIME standards development, RSA said it will add features of the U.S. government's Message Security Protocol (MSP) into S/MIME. That initiative, being funded by the National Security Agency, is designed so government agencies can use commercial S/MIME software rather than requiring special, more expensive email software for government use.

RSA's renewed efforts to put S/MIME before the IETF as a standard garnered mixed reviews from sometimes-rivals PGP and Cylink.

"RSA is moving in the right direction here," said Charles Breed, PGP's director of technology. "I want the market to come together because the more the market is fragmented, the worse for customers and vendors. We've got to get over this feud."

But Breed suggested RSA may have to alter the S/MIME protocol to win IETF approval, in ways that could create compatibility problems with current versions of S/MIME software. "I believe there is some fragmentation in the S/MIME group with this new effort," he said.

Cylink chief scientist Charles Williams called RSA's return to the IETF process "excellent news," saying Cylink will join the S/MIME working group. He also termed S/MIME as "technically an excellent solution and widely deployed."

"We should not confuse the standard process with an effort to lock certain technologies into the market, especially technology that is not widely and freely available," Williams said, referring to RSA's current requirement that its algorithms be used for S/MIME applications.

In the past, the lack of industry agreement on standards for secure messaging over the Internet has limited adoption of messaging security technology, RSA argued.