Network Computingwww.networkcomputing.com

While it's tempting to implement "plug-in" support for S/MIME into existing desktop mail clients, Worldtalk's clien t didn't provide a convincing argument. Certificate management is awkward, handled outside the mail client.Worldtalk's external certificate manager forces you to maintain two separate address books: one in the mail client stores addresses, and another in the WorldSecure client maps certificates to e-mail addresses. While we see the merits of Worldtalk's external address book for maintaining specific S/MIME settings per recipient, it was frustrating and made S/MIME more of a chore than a transparent messaging service.

Baltimore MailSecure
Operating undercover, Baltimore's MailSecure integrates almost invisibly into Microsoft Exchange and Outlook 97 clients, adding only a certificate manager window, a small configuration page, and "sign" and "encrypt" buttons to message composition windows. Unfortunately, MailSecure is hurt by its dependence on MAPI. Unable to transmit or receive the de facto standard clear signed messages, MailSecure did not fare well in our interoperabi lity tests. Netscape and both Worldtalk plug-ins read its opaque-signed messages, while ExpressMail and Outlook Express couldn't decipher its messages. Because the messages were opaque-signed, the user saw an empty message with an unreadable attachment. On the receiving end, only Worldtalk's Outlook plug-in generated opaque-signed messages without user intervention. Microsoft requires setting a global option for opaque-signing all outgoing messages to send signed messages to MailSecure.

Although enterprise S/MIME deployments will most likely rely on LDAP for certificate distribution instead of the default mail attachments, MailSecure lacked support for LDAP. Reliant on Microsoft's MAPI mail clients, MailSecure also won't support IMAP until Outlook 98 is released.

MailSecure's certificate management provides a simple interface to setting individual or CA-inherited trust models. However, MailSecure only bundles support for self-signed certificates and Baltimore's own demonstration CA. According to Baltimo re, it provides enterprise users with individually tailored versions of MailSecure with built-in support for Baltimore's UniCert enterprise CA.

We were disappointed that MailSecure fell to the bottom of the report card. MailSecure appears to be in the wrong place at the wrong time. Its reliance on opaque-signed messages is a function of its dependence upon Microsoft's MAPI clients, but its lack of opaque-signing support on other clients hurt its interoperability marks. It did a decent job of hiding S/MIME details from the user, while still presenting icons that clearly show signed and encrypted mail. Baltimore deserves praise for shipping a solid, bug-free product.

Dan Backman can be reached at dbackman@nwc.com.