Internet Mail Consortium Workshop Spurs Action On Security FOR IMMEDIATE RELEASE February 21, 1996: Creators of Internet mail security techologies today agreed to try to make it easier for email users to send and receive signed and private mail. At the Internet Mail Consortium's Workshop for Resolving Email Security Complexity, important customers and manufacturers in the the email security market came together, clarified their requirements and goals, and agreed to try to reconcile some of the differences among competing security technologies. Current Situation Although security services, such as content privacy and authentication of sender, are regarded as requirements for business use of the Internet, there is little deployment of electronic mail security. Several contenders for the email security "standard" exist, each of which claim to support the standard multimedia extensions for Internet mail (MIME). MIME and many related technologies was developed by the Internet Engineering Task Force (IETF), the body that sets technical standards for the Internet. Four technologies dominated the discussion at the workshop: - The official Internet standard is MIME Object Security Services (MOSS); however, it appears to have limited support from the email industry. - A privately-developed technology, Pretty Good Privacy (PGP), is the only contender with a substantial installed base of users. - Recent work by the vendor consortium led by RSA Data Security has developed the Secure Mime (S/MIME) specification. - There are indications that a security technology created for the US Defense Messaging Service, called Message Security Protocol (MSP), is being adapted for use over Internet email. The fact that there are four solutions becomes an excess of potential riches since none of these technologies works with the others. To be certain of interoperability with all recipients, an email user would be required to support all of these technologies, and would have enormous difficulty keeping track of the necessary configuration information. Results of the Workshop The Resolving Email Security Complexity workshop brought together industry specialists who are creating the technologies and products that use email security and the people who must operate end-user organizations that use Internet email. The workshop sought to open lines of communication among the contenders and the user constituencies, to resolve misinformation about each technology, and to seek opportunities for reconciling some or all of the differences among the technologies. More than 60 attendees, from all sectors of the email and Internet user and provider communities, labored for the day. As a first step towards simplifying the differences among the contenders, the group developed strong consensus for two major requirements: 1. Native Internet mail environments should be provided support for authentication of sender through use of the MIME "Multipart/Signed" mechanism. 2. Representatives of the different securities technologies should cooperate and seek to meet four major milestones: - By April 1, 1996, they should develop a list of the technical differences of the technologies. - By June 1, 1996, they should jointly or separately develop a list of explanations of the requirements that justify each of those differences. - At the IETF standards meeting in Montreal (starting June 24, 1996), they should hold extended meetings and seek to eliminate as many of their differences as possible. - There should follow efforts to submit any additional specifications for IETF standardization as soon as possible. The Internet Mail Consortium agreed to help the security technology representatives meet these goals through discussion coordination and other support services. - - - The Internet Mail Consortium in an industry association that promotes the use of Internet email and pursues its enhancements. It was formed at the beginning of 1996. Information about the Internet Mail Consortium is freely avialable from or Press contact: Paul Hoffman, , (408) 426-9827.