Network Computingwww.networkcomputing.com

As a standalone e-mail client, ExpressMail cannot use a Web-based certificate enrollment, so we were limited to using self-signe d and VeriSign certificates in our tests. Fortunately, VeriSign's services were bundled free. Upon installation, ExpressMail created a personal certificate and offered to leave it as a self-signed certificate or automatically submit it to VeriSign for a valid root signature. Using a standard PKCS#10 certificate request, VeriSign returned a usable certificate in seconds, and ExpressMail was ready to send secure messages. ExpressMail supports third-party CAs, but root CA certificates must be installed manually from PKCS#7 files or MIME messages. Likewise, certificate requests are limited to "cut-and-paste" PKCS#10 requests, and subsequent enrollment requires the CA to provide a PKCS#7 encoded certificate (a feature that none of our CAs supported).

We were impressed with OpenSoft's attention to detail on the administrative end. While the user is largely shielded from managing certificates (provided that the administrator handles initial certificate enrollment), the administrator sets and locks security polici es. One particularly useful item is ExpressMail's message escrow feature. Good for organizations that need to archive all message traffic, ExpressMail allows the administrator to define a message escrow for each client. Automatically copying outgoing messages to a predefined archive mailbox, encrypted in an administrative key, ExpressMail creates a simple workaround to the dilemma of escrowing each user's key.

We found ExpressMail's support for clear-signed messages spotless. However, it couldn't exchange signed messages with opaque-only MAPI clients. We found OpenSoft's Certificate management decent overall, but like all present S/MIME clients, it forces the user to perform detailed certificate tracking. We couldn't obtain root CA certificates from our local CAs directly because they didn't support PKCS#7 enrollment. Nevertheless, ExpressMail displayed new CAs to the certificate manager when individual certificate chains were received (from incoming messages).

We are concerned with ExpressMail's stabil ity problems. A bug in the signature verification routines crashed each installed copy of ExpressMail every time it encountered a signed message from Worldtalk's WorldSecure plug-in for Microsoft Outlook 97. OpenSoft verified the bug and promises to fix it in the next release.

ExpressMail is a noteworthy product with forward-looking directory support. With an LDAP-enabled address book, it not only retrieves recipient information from the directory, but also publishes personal certificates to a local LDAP server. Its interface is quite attractive, adorned with colorful icons and logos and large, animated status windows. While outwardly friendly, ExpressMail suffered a severe performance penalty. We were surprised to wait more than 10 seconds to sign and transmit or to receive and verify even the smallest text message--a process that takes less than a second on other S/MIME clients on the same workstation.

Worldtalk WorldSecure 2.2
Worldtalk's WorldSecure operates as a plug-in to both Microsoft Exchange/ Outlook97 and QUALCOMM's Eudora Pro: both of which are supported by a standalone certificate manager application. Although it was seemingly advantageous to add S/MIME support into existing mail clients, we found the WorldSecure client somewhat nonintuitive to use. Also, we were surprised to find that both plug-ins were not equal. Interoperability varied with the host program's mail transport, giving an edge to Eudora's non-MAPI transport. While the Eudora plug-in decoded both clear and opaque-signed messages with ease, the Outlook 97 plug-in we tested supported only opaque signed messages (because of the fact that it must transmit messages via MAPI). The Outlook 97 plug-in worked well when it found opaque signed messages (from Outlook Express and Baltimore's MailSecure), but was completely incompatible with clear-signed messages.

The Worldtalk's Eudora Pro plug-in proved excellent at message handling, but we found it very cumbersome when compared to the Outlook plug-in . All incoming S/MIME messages show up as attachments in an otherwise empty message in the Eudora window. Double-clicking on the attachment launches the WorldSecure Client, which verifies the signature, decrypts the message and spits it back into Eudora's message window. Unfortunately, if the message contains HTML-encoded text, Eudora cannot process the formatting, leaving a message hidden in HTML code. We also uncovered two bugs in the Eudora plug-in. The plug-in failed to automatically add an address book entry in the WorldSecure client, and outgoing messages flagged as signed-only (not encrypted) managed to pass through the plug-in without being signed. We solved both problems in the Eudora plug-in by upgrading from Eudora Pro 3.0.3 to version 4.0.