Network Computingwww.networkcomputing.com

The status of incoming messages is clearly marked with an icon that indicates whether the message is signed or encrypted and whether the signature is valid. Detailed security information is available by clicking on the message's security icon. In addition, Netscape has integrated its client with its LDAP directory-enabled back-end services. Because X.509 certificates are part of Netscape's standard user schema, an LDAP query through the address book produces certificates and recipient e-mail addresses and other white pages-type information.

Netscape Messenger is not without its shortcomings, however. While it did an excellent job of decoding incoming messages from its peers, it doesn't support sending opaque signed messages--effectively cutting off communication with MAPI-based products like Baltimore's MailSecure and Worldtalk's WorldSecure Exchange client. Also, Netscape trusts only certificates that are signed by a valid CA; there is no way to explicitly trust a self-signed certificate. This is an appropriate feature for enterprise deployments, as trusting individual, self-signed certificates defeats the purpose of CAs. However, small workgroups may be frustrated by the need to either set up a local certificate authority or contract with a public CA, like VeriSign, to issue valid certificates. Baltimore, OpenSoft and Worldtalk all offer the capability of generating self-signed certificates, which make them easier to deploy in a workgroup environment.

Of course, there is more to an e-mail client than security. Messenger is also a useful Internet mail client with full support for HTML-encoded messages, online address books and automatic message filtering. The only interface-related complaint we had with Messenger was its HTML-based menus.

Microsoft Outlook Express (Internet Explorer 4.01) 128-Bit Version
Although largely on par with Netscape's Messenger product, Microsoft slid below i ts archrival, Netscape, because of what appeared to be a bug in decoding opaque signed messages. While Microsoft claims to have support for both sending and receiving opaque signed messages, we found it couldn't recognize opaque signatures as S/MIME messages. In the lab, incoming opaque signed messages resulted in an unrecognized "smime.p7s" attachment--with no recognized signature. Ironically, Outlook Express includes an option to force outgoing messages to be opaque signed (most clients prefer clear signing by default, since non-S/MIME clients can still read the message), making Outlook Express the "universal donor" in our compatibility tests.

Outlook Express, like Netscape's Messenger, does not sacrifice features even as a bundled product. Don't confuse Outlook Express with its big brother, Outlook 97, however. A dedicated Internet mail client, Outlook Express supports IMAP, POP3 and SMTP directly, whereas Outlook 97 is a MAPI client (it supports SMTP and POP3 through a local Internet Mail Service, or g ateway) and also offers calendaring and contact management features.

Like Netscape's Messenger, Outlook Express neatly hides the details of S/MIME, presenting simple icons to indicate signed and encrypted messages. We liked Microsoft's approach of logically managing recipient certificates via the address book, which had the added benefit of storing more than one certificate per user, but selecting one as the default certificate for sending encrypted mail. We didn't like the fact that Outlook Express doesn't automatically add received certificates to the address book. But Microsoft offered a valid argument: Do you want to add a certificate for each piece of "spam" in your mailbox? The answer is obvious. Outlook, however, does have an option that automatically adds certificates to the address book when replying or forwarding a signed message.

Because of its integration with Internet Explorer, initial certificate enrollment was available through our local certificate authority. Once the root CA certifica te and personal certificate were enrolled via the Web browser, Outlook Express was ready to send secure messages. In addition, adding support for additional trusted CAs is easy, and accomplished by simply downloading the CA certificates. However, enterprise deployments will want to lock down root CA trusts via the Internet Explorer Admin Kit. In addition to Web enrollment, we were pleased to see Microsoft and Netscape exchange private keys and certificates to and from disk via PKCS#12.

Microsoft also added a vital feature we didn't see in other products: migration tools. Outlook Express imports not only address books, but also folders and messages from major Internet mail clients, such as Eudora Pro, Netscape Communicator, and Microsoft's own Exchange, Outlook 97 and Windows Messaging clients.

An easy-to-use e-mail client with well-integrated S/MIME support, Microsoft Outlook Express is as equally sound an S/MIME client as Netscape Messenger. We look forward to seeing the opaque signature decoding bugs fixed in its next release.