Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

Secure E-Mail Clients: Not Quite Ready For S/MIME Prime Time. Stay Tuned.

To test interoperability between the S/MIME clients, we installed two copies of each product with its own mail account on our Solaris-based SMTP, POP3 and IMAP4 server. We enrolled each product with a personal certificate and sent signed messages to distribute each user's certificate. We relied on this initial message exchange to distribute certificates as a lowest-common denominator of S/MIME messaging.

It's also important to remember--security issues aside--that these products are primarily mail clients. Ease of use and powerful feature sets are important to users and, so, aptly reflected in our Report Card. Of particular note are support for LDAP (both for address lookup and certificate retrieval), the seamless integration of securi ty features and user-oriented tools like automated message filtering.

Of the five products we tested, Netscape Messenger quickly emerged as not only the most interoperable (it was the only universal recipient that decoded messages from every S/MIME client), but also as one of the most reliable products. Its browser integration simplified certificate enrollment, and it did a decent job of hiding some of the complexities of certificate management. We also liked Microsoft Outlook Express as an e-mail client in general. It performed well when tying certificates to address book entries, but it had problems decoding opaque signed messages.

As a secure e-mail client, OpenSoft's ExpressMail offered some well-thought-out features, but we encountered stability problems and trouble decoding opaque signed messages. Finally, we were not as happy with Baltimore's MailSecure and Worldtalk's WorldSecure plug-ins. Although they offer the choice of supporting S/MIME in Exchange, Outlook or Eudora products, they don't i ntegrate the security features as well as the other products. Dependent upon external mail clients to handle and display messages, they were at times limited by the message transport agents (particularly MAPI). Also, Worldtalk's Eudora plug-in couldn't process HTML-encoded messages, even though Eudora understands HTML.

Our frustrations with the current state of enterprise PKI (public key infrastructure)--particularly the lack of common certificate enrollment strategies, centralized management and certificate validity checking--are reflected in the low average grades for all the products we tested. (For a detailed discussion of PKI management issues, see "Managing Digital Keys," www. Network Computing.com/822/822f1.html.) Because many of these products deliver fine mail services to the desktop, it's obvious that the S/MIME standard needs work before it will be an appropriate enterprise secure messaging solution. We recognize that it is edging its way toward a de facto standard for secure messaging, especial ly following support by both Netscape and Microsoft. However, it's painfully clear that the PKI necessary to support an enterprise S/MIME solution is still behind. While we favor browser-based solutions because of their superior interoperability, certificate enrollment options and general feature sets, we can't in good conscience recommend any current S/MIME solution until effective certificate management standards are adopted.

Netscape Communications Corp. Messenger (Communicator 4.04)
Bundled in a Web application suite, Netscape Messenger delivers surprising functionality and reliability as a mail client. It was the only product in our tests that successfully decoded every S/MIME message we sent it. While other products ran into trouble either identifying or decoding clear or opaque signed messages, Messenger rose to the ranks of "universal recipient" by successfully decoding, decrypting and verifying messages from each of its peers--regardless of encoding type. But m ost important, it shares the stage with Microsoft Outlook Express in terms of integration with existing enterprise CA (certificate authority) products and the availability of administration kits for etching security policies at each end user's desktop.

As part of Web browser suites, both Netscape Messenger and Microsoft Outlook Express share a certificate database with their sister Web browsers. This has the convenient, though perhaps unfair, advantage of using the Web interface as their primary certificate enrollment strategy, for both personal and CA root certificates. All three certificate authorities we tested--Microsoft's IIS 4.0 (Internet Information Server) Certificate Authority, Netscape's Certificate Server and Xcert's Sentry CA--supported only Web-based enrollment. We were disappointed that none of the CAs tested offered support for standalone S/MIME client clients, which must enroll certificates via MIME-encoded PKCS#7 responses. As a result, the Web-integrated mail clients offered seamless inte gration with our test CAs, while we were forced to rely on self-signed certificates or VeriSign certificates for the other products. Netscape permits private key and certificate support via an anticipated acceptance of the PKCS#12 certificate/key exchange standard, which is compatible with both Microsoft's Internet Explorer and Worldtalk's WorldSecure. It let us exchange credentials among Communicator, Microsoft Internet Explorer and Worldtalk WorldSecure client via disk files.