S/MIME V3 White Paper
Email and Security
With the growth of the Internet and other computer networks email has become ubiquitous,
and is increasingly a mission-critical facility for businesses and government users. The use
of email has emerged as the ideal tool for both the business community and individual users
to communicate effectively, efficiently and in a speedy manner. Email is not only easy to use
for the end user, but also extremely cost-effective and efficient for the organisation,
providing a truly global communication infrastructure.
Common Internet-based email systems provide an appropriate solution when used for
sending information of low value or when strong proof of the identity of the sender or
recipient is not required. However, if email is to be used for confidential information
exchange and high value transactions then extra security services are required. Incidents of
email hacking and compromise of data are becoming frequent and widespread within the
business community. The need for secure email has become critical.
In today's privacy and security sensitive environments, email security can no longer be
viewed as merely a luxury for organisations, but rather as a pre-requisite to implementing
business processes and the transfer of corporate and personal data. A secure email facility:
• Leverages email, the most commonly deployed internet application, to transmitting
sensitive, confidential and verifiable information
• Prevents compromise of business information, loss of intellectual property
• Protects against corporate espionage or cyber terrorism
• Forms the basis for e-business applications
• Gives access to new markets
• Leads to greater efficiencies, attractive ROI
• Can deliver competitive advantage
As a result of the need for email security, a number of standards have emerged over recent
• Privacy Enhanced Mail (PEM)
• Pretty Good Privacy (PGP)
• Secure Multimedia Internet Mail Extension (S/MIME)
These standards all attempted to solve the basic security issues associated with sending
messages via email, and thus enable email messaging to be leveraged for business benefit.
However, in the case of email one standard has emerged as the de-facto industry standard,
Why PEM and PGP are not the solution
PEM was the first credible attempt to make the Internet secure in the late 1980's. PEM
includes encryption, authentication, and key management, and allows use of both public-key
and secret-key crypto-systems. Although many aspects of the PEM design could not be
faulted, it never achieved significant market success, as it was incompatible with MIME, the
standard Internet mail format.
PGP was another standard used to encrypt and decrypt email over the Internet. It provides
message encryption, digital signatures, data compression, and email compatibility.
Developed by Philip R. Zimmermann in 1991, PGP has won considerable acceptance
amongst private individuals. However, it has never achieved sufficient market acceptance
amongst corporations due to its inability to scale adequately for large deployments and,
therefore, has not been adopted by major software vendors such as Microsoft, Lotus and
S/MIME - The industry standard
Unlike the PGP and PEM protocols, S/MIME was designed from the ground up to scale well
for large deployments and has now emerged as the de-facto industry standard for secure
S/MIME became a standard in the late 1990's, and has managed to gain global market
acceptance to date. In fact, S/MIME has penetrated the market to such an extent that it now
figures in both the Netscape and Microsoft portfolios. So why has S/MIME become the de-
facto standard for secure email?
S/MIME is a protocol designed to work within a Public Key Infrastructure (PKI), which
secures communication between two or more parties. The S/MIME standard has been
developed by the Internet Engineering Task Force (IETF) and is based on the PKCS #7
(Public Key Cryptography System # 7) standard for messages, and the X.509v3 standard for
certificates. It extends MIME, the Internet mail standard, so that a message can be given a
digital signature and encrypted.
S/MIME is supported by a number of industry leading vendors including SSE, Microsoft,
Netscape, Lotus, ConnectSoft, Frontier, FTP Software, Qualcomm, Wollongong, Banyan,
NCD, SecureWare, VeriSign, and Novell.
Areas of application for S/MIME are diverse, ranging from secure email to Electronic Data
Interchange (EDI), military and financial applications. With such extensive market
acceptance, S/MIME has become a fundamental part of the Internet messaging
S/MIME v3 ESS
The latest version of S/MIME, S/MIME v3, also defines a number of Enhanced Security
Services (ESS). These are:
• Secure mailing lists - allows just one digital certificate to be used when sending a
secure message to all members of a mailing list
• Signed certificates - binds the signer's certificate to the signature itself; ensuring the
correct certificate is used in the verification process
• Signed receipts - provides proof of delivery of the message and proof that the message
was successfully verified
• Security labels - a set of security information regarding the sensitivity of the content
eB2Bcom Page 2 Feb02
TrustedMIME is a client-based secure email solution developed by SSE (now part of
Guardeonic Solutions) according to the industry standard S/MIME protocol. TrustedMIME
products are marketed, implemented and supported in Australia by eB2Bcom.
TrustedMIME plugs into email clients, providing the user with strong (128-bit) encryption and
(up to 2048-bit) digital signatures to provide a complete secure messaging solution.
TrustedMIME provides support for both Microsoft (Outlook, Exchange, Messaging) and
Lotus Notes platforms.
TrustedMIME offers the following features:
• Focused on usability and maintainability, ease of use, low cost of ownership, leading a
• Easy to deploy, easy to use, easy to administer
• Leading edge technology
• Corporate branding option enabling a strong and consistent corporate identity to be
TrustedMIME is based on a modular design enabling it to work with the organisation's
chosen Public Key Infrastructure (PKI). In the absence of an existing PKI, TrustedMIME
users can generate their own self-signed Public Key Certificates. For existing PKIs,
TrustedMIME can work with external, Commercial Certificate Authorities (CCAs) and also
provides a range of options for working with internal, local CAs, including SSE's scalable
PKI solution, TrustedCA.
TrustedMIME is designed to:
• Secure client-side email communication via strong cryptography
• Provide strong security with minimal impact on the end user
• Provide an interoperable solution based on industry wide standards
• Provide a corporate component for enterprise wide security policy enforcement
• Provide support for the latest S/MIME standards
• Provide industry leading integration and interoperability with Public Key Infrastructures
eB2Bcom Page 3 Feb02
TrustedMIME/Corporate is an add-on tool to the core solution, which enables organisations
to implement enterprise-wide email security. TrustedMIME/Corporate allows organisations to
customise TrustedMIME settings and parameters across the complete install base, ensuring
that all end users conform to the overall corporate security policy. TrustedMIME/Corporate
enables administrators to pre-configure the TrustedMIME client configuration and to
determine which security settings end users have access to.
TrustedMIME/Corporate also allows a strong and consistent corporate identity to be
maintained through branding of the TrustedMIME client.
A number of deployment scenarios for secure messaging systems are presented below. The
first scenario presents the most straightforward deployment option. Subsequent scenarios
detail enhancements to this basic model, leading to increased security and a more robust
At the most basic level, S/MIME requires that users need to be able to distribute copies of
their public keys to one another if they wish to send signed and encrypted messages. This is
usually done through the distribution of digital certificates containing the public keys. Equally
important is the ability of users to protect their private keys. The deployment scenarios
outline mechanisms for distributing public keys and protecting private keys within an S/MIME
• Using Self-signed Certificates
• Using Certificates managed by a Certificate Authority
• Storing Private Keys off-line
• Performing all Cryptographic Operations off-line
When deciding on the most appropriate deployment model the following questions should be
• What is the value of the information that is being protected?
• What level of security is required to provide acceptable protection against compromise of
• What is the cost of implementing and maintaining the security solution?
• What is the complexity of the solution and what impact will this have on rollout and end
• How scalable is the solution and will it meet future security requirements?
The questions above address the key areas of Return on Investment and Total Cost of
Ownership. As a general rule, the higher the level of security, the greater the cost and
complexity of deployment. Therefore, in order to provide real business benefit, the level of
security should ultimately be determined by the value of the information being protected.
Microsoft and Lotus have made significant headway into making their messaging clients
S/MIME and PKI enabled. However interoperability between the two is a major issue and
eB2Bcom Page 4 Feb02
indeed, interoperability with other mail clients is an even greater issue. The use of additional
plug-ins is still necessary in many cases and certainly to facilitate the use of S/MIME v3.
The above comments and descriptions are the opinions and views of eB2Bcom and its staff,
or its suppliers. These comments are not intended to be represented as a complete or
comprehensive description of the topic and readers are encouraged to seek additional
Further information is available from eB2Bcom. eB2Bcom markets, implements and
supports these products in Australia, New Zealand and Asia
Tel: +61 (0) 3 9851 8600
eB2Bcom Page 5 Feb02