Using S/MIME for Domain to Domain Security - experience from a real world deployment
"Craig McGregor" <Craig.McGregor@treasury.govt.nz> Thu, 12 February 2004 05:17 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA24657 for <smime-archive@lists.ietf.org>; Thu, 12 Feb 2004 00:17:46 -0500 (EST)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1C4lRgH020023; Wed, 11 Feb 2004 20:47:27 -0800 (PST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1C4lRvG020022; Wed, 11 Feb 2004 20:47:27 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from fledermaus.treasury.govt.nz ([202.36.173.38]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1C4jPgg019893 for <ietf-smime@imc.org>; Wed, 11 Feb 2004 20:46:11 -0800 (PST) (envelope-from Craig.McGregor@treasury.govt.nz)
Received: from juliet.hamlet.treasury.govt.nz (Not Verified[172.20.2.43]) by fledermaus.treasury.govt.nz with Non-Descript e-mail server id <B000120132>; Thu, 12 Feb 2004 17:40:43 +1300
MIME-Version: 1.0
Subject: Using S/MIME for Domain to Domain Security - experience from a real world deployment
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
Date: Thu, 12 Feb 2004 17:42:12 +1300
Message-ID: <14270A31340CCF46A050FEC25B8F50A00693F0A4@juliet.hamlet.treasury.govt.nz>
Thread-Topic: Using S/MIME for Domain to Domain Security - experience from a real world deployment
Thread-Index: AcPgMxR4QhthgT4WSqqt39NlzBet/QP6s7JQ
From: Craig McGregor <Craig.McGregor@treasury.govt.nz>
To: ietf-smime@imc.org
Cc: Russ Housley <housley@vigilsec.com>, Ben Littauer <littauer@blkk.com>
content-class: urn:content-classes:message
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i1C4kBgg019926
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
Part 1: The Test Lab (October 2000) =================================== After receiving responses from an RFP, three vendors claimed that they could supply a solution using S/MIME gateway products. We created a test-lab (October 2000) to test the interoperability between these three S/MIME gateway products. Typically these products were e-mail content filters with S/MIME add-ons - although content filtering was not part of our requirements. Achieving interoperability was a more challenging task than we first envisaged. We relatively quickly got to a stage where we were able to achieve one way interoperability between products - We had a scenario similar to: Product A could send to Product B but not to Product C Product A could receive from Product C but not from Product B Product B could send to Product C but not to Product A Product B could receive from Product A but not from Product C Product C could send to Product A but not to Product B Product C could receive from Product B but not from Product A Obviously the fact that although each product used S/MIME there had not been much interoperability testing with other products. It was clear that each product was implemented very differently for how they identified domain secured e-mail. One product implemented a very early draft of what is now RFC3183, another relied on a custom X-Header line and the other implemented manually configured matching. There were also some issues even with the S/MIME implementations interoperating as well. E.g. When certain elements of s/mime messages were DER encoded rather than BER encoded would cause one product to fail - but not the others... We were eventually able to get each product interoperating after some testing of why products didn't like each other and a combination of vendor provided work-arounds, patches and upgrades to their software. - All three products were able to deal with manually configured groups of domains for gateway to gateway S/MIME interoperation - Interoperability was only achievable by using a lowest common denominator approach of S/MIME v2. We also applied the naming conventions from the DOMSEC draft of the time to ensure that we had consistent naming conventions in our certificates. - There was not a great deal of vendor enthusiasm for updating their products to enable us to upgrade our interoperability spec to use either draft or experimental technical specifications because of the potential for such specifications to be 'moving goalposts'. There were suggestions that the relevant product managers would consider support for something that was deemed 'standard' in their products. To state the obvious it would have been ideal if all S/MIME gateway products were able to interoperate 'out-of-the-box' and thereby reduce our necessary testing to compliance with our business rules rather than with technical specifications and our business rules. Part 2: A pilot group and a small community of participating domains (Nov 2000 - Early 2001) ======================================================================== ===================== We started with a pilot between three central government agencies - The Treasury, The State Services Commission and Parliament. This pilot involved a manual exchange of certificates between the gateways and was highly successful. End users no longer needed to manage certificates, or, choose whether to secure a message - it just happened for them. We had now secured internet e-mail communications between more users than was possible during our previous (failed) pilot of desktop-to-desktop e-mail security. Other government agencies joined our secure e-mail community. It had now become the standard way of securing e-mail between public-sector agencies. As more and more agencies joined the use of manual certificate exchanges were becoming burdensome in the opinion of system administrators at some government agencies. We found that manually implemented key management was prone to errors because system administrators key management operations were not performed regularly - once a year for your own domain and a few times a year for the different expiry dates on the other domains. Similarly, keys seemed to expire at inconvenient times (such as when system administrator was away) and cause e-mail disruptions. There is a potential paradox between e-mail being high availability and PKI being "failsafe" for high security (therefore stopping if something is wrong). Part 3: Managing a large community of participating domains (2002-2004) ======================================================================= A. SMARTS (S.E.E. Mail Automated Reference Test Server) Misconfiguration of S/MIME gateways in participating domains can cause delivery of e-mail to other participating domains if such misconfiguration does not conform to the business rules, and thus an e-mail alert would be sent to the end user. E.g. a Postmaster Non-Delivery notification is not signed and encrypted by a participating domain, then the recipient of another participating domain will get an e-mail to say the e-mail (the NDR) was received insecurely. To counter problems created from configuration errors of S/MIME gateways we setup a test server that works by exchanging e-mail with an administrator from a participating domain. This test suite of e-mails contains tests for our business rules and any exceptions that we have found to cause problems over time. An administrator from a participating domain is therefore able to test that they correctly process e-mail as per the business rules whenever they make configuration changes to their networks. The SMARTS server tests for compliance with our business rules rather than interoperability which is proven before upgrades or new products are included in our S.E.E. Mail community. B. Key Management As the size of a 'community' that secures their e-mail communications grows, the likelihood of poor key management occurring and having a negative impact on the system increases. Using server-side software, rather than interactive client software means that choices cannot be made interactively at the time if there is a problem with a certificate (e.g. expired, revoked). Some automation is required in order to take some action - you cannot put a prompt on the screen and expect a user to do something about it! To correct this we have required changes to the products used in S.E.E. Mail to be able to use an LDAP directory for two purposes: - To obtain the current membership list of the S.E.E. Mail community. (i.e. which domains need S/MIME gateway signing/encryption/decryption applied) - To obtain the current certificates for members of the S.E.E. Mail community (e.g. a certificate becomes invalid, new member) Where to from here? =================== When comparing our real world deployment against the specifications contained in RFC3183 there would appear to be a number potential areas for simplification of RFC3183, or, possibly an opportunity for a completely new rewrite that is a simpler Informational or Standards track RFC along the lines "Securing e-mail between domains using S/MIMEv3.1". For more information on the S.E.E. Mail project please refer to http://e.govt.nz/see/mail/ You may also be interested in a similar project by the Massachusetts Health Data Consortium http://www.mahealthdata.org/initiatives/e-mail/. Although I have not had any involvement in this project, the documentation contained on their website shows very similar findings to the S.E.E. Mail project. -----Original Message----- From: Russ Housley [mailto:housley@vigilsec.com] Sent: Thursday, 22 January 2004 4:26 a.m. To: Craig McGregor; ietf-smime@imc.org Subject: Re: Status of RFC3183: Domain Security Services using S/MIME If there is sufficient experience from deployments such as yours, then I would not be opposed to expending the charter of the S/MIME WG to progress the DOMSEC document from Experimental to the Standards Track. Of course, people with the lessons learned from such deployments must be willing to participate in the discussions. Russ
- Using S/MIME for Domain to Domain Security - expe… Craig McGregor