Messaging Trends
Mike Lambert, Director of the Messaging Forum, provided an Introduction to the meeting and
identified a number of key characteristics of the Internet email system
that add to the complexity of solutions to key customer requirements:
- The store-and-forward model of Internet email
- The extensive use of mediators which modify the contents
of a message in some way during the transmission processes
He continued by explaining the role of Regulatory Compliance in
driving the evolution of enterprise messaging systems.
There is a growing recognition of the need to protect the contents of
email through encryption. The first session of the meeting reported on
the current status of different approaches.
Russ Chung, Co-Chair of the Messaging Forum, provided an
overview of Secure Messaging Models,
comparing and contrasting a number of mechanisms:
- End-to-end secure messaging
- Gateway-to-gateway secure messaging
- Web-enabled secure messaging
Wen Fang, from Boeing,
Co-Chair of the Messaging Forum, talked about the Design and Deployment of End-to-End Email
Encryption. The presentation explained how the original needs have
been satisfied and how this is now being deployed as a contractual
requirement for working with Boeing. An important element of this
process was the Messaging Forum Secure Messaging Challenge which
developed the overall architecture and demonstrated the feasibility of
open standards based on strong encryption of email. Boeing is now
encouraging deployment of this architecture through contractual
requirements on its business partners.
Mike Lambert described
Domain Gateway Encryption, a simpler approach in which email is
encrypted at the domain boundary for transmission across public
networks. This is a much more manageable approach for small and medium
enterprises that lack the resources to implement a full PKI and meets
the regulatory compliance requirements of many market segments (e.g.,
healthcare). In collaboration with the
Massachusetts Health Data
Consortium, the Messaging Forum has developed a
certification program to ensure interoperability between products
that encrypt at the domain gateway.
Stephan Wappler, from
Noventum Consulting, presented an approach to Secure Data Exchange over External
Hosted Mailing Lists. This is a case study for the general problem
associated with mediator systems, such as mailing list exploders, and
handling encrypted email. This presentation showed the results of a
practical approach that demonstrates feasibility.
Unsolicited email (Spam) remains a major challenge. The impact of the
flood of unwanted messages is a major cost to business and a major
threat to the effectiveness of email.
Mike Lambert provided an up-to-date review of the Latest Trends in Combating Spam,
addressing:
- The use of filters to intercept Spam
- New initiatives to authenticate the senders of email
- The role of reputation services
The ability to authenticate the originator (or originator's domain)
of an email is an essential enabler for more reliable message filters
and enforcement of legislation. Several approaches are now being
deployed:
- Path-based (Sender Policy Framework/Sender-ID) - up-to-date
statistics relating to the deployment of these approaches were
presented.
- Crypto-based (Domain Keys Identified Mail) - this new proposal
represents the merger of two different approaches.
Practical conclusions from this session:
- There are now practical, open standards-based approaches to
email encryption available to all sizes of company (although the
challenges of key discovery and exchange remain).
- Companies should create an SPF record defining the systems that
they use to send email now. The cost is low, the risk
is low, and there is an immediate reduction in the amount of
bounced mail arising from mail sent from imposters.
- Companies should consider upgrading their Message Transfer
Agents to check SPF records soon. The major vendors have
software just about ready to ship.
- It is probably worth holding off on implementation of
cryptography-based approaches until the merging of the Domain Keys
and Identified Internet Mail specifications is complete (later this
year).
- Companies should start to worry about their email reputation
now, making sure that policies are in place to prevent events
that would generate a negative reputation, such as an ill managed
direct marketing campaign.
Secure Messaging Professional Certification
The market demand for email encryption is growing explosively.
Companies who have a business need to deploy this capability are
reporting difficulties finding skilled resources to help them. The Open
Group will shortly be initiating a new program to recognize and promote
companies with the relevant skills.
A major focus of the meeting was the development of this program,
with the objective of launch in October 2005. This included:
- Definition of how the certification program will operate
- Review of training materials that can be used to help establish
the necessary knowledge base for certification
- Video training material provided by Wen Fang from Boeing
- Instructor-led training materials provided by Stephan Wappler
from Noventum
More information about this program, together with an opportunity for
messaging professionals and/or companies to pre-register for this
program, may be found
here.
More information for members of the Messaging Forum, including early
access to initial training materials, can be found
here.
Federated Free/Busy
Scheduling meetings, particularly where participants are
geographically dispersed, is a time-consuming process involving multiple
rounds of negotiation to establish an acceptable date/time. Heavyweight
calendaring and scheduling initiatives have been underway for a decade
and have yet to address this requirement.
The proposal seeks to establish a simple protocol to establish the
free/busy status of people.
As the basis for future work, this meeting included a workshop to
develop a high-level Business
Scenario.
Business scenarios is a technique defined as part of
The
Open Group Architecture Framework for defining a problem to be
addressed in a business context.
The workshop established the following objective:
"By end of Q1 2006 there should be a realtime
mechanism that is able to extract and
collate/display free/busy information from at
least three major groupware packages using
open standard protocols for a constrained
list of named attendees and constrained list
of times."
A fuller description of the output from the workshop and next steps
are available to members of The Messaging Forum and can be found
here.
Certificate Policy Assurance
Creation and auditing of Certificate Policies is currently delaying
the deployment of PKI-based encryption of email.
This proposal seeks to remove the requirement for companies to have to
audit the Certificate Policies of each of their business partners.
As the basis for future work, this meeting included a joint session
with The Open Group Security Forum to develop a high-level Business
Scenario.
The workshop established the following objective:
"In order to achieve target roll-out of secure messaging, we need to be
able to establish trust with our business partners without the need for us to
audit individual CPs and CPSs through access to a trusted service for independent
audit of certificate policies of our business partners against a set of standard
criteria, by the middle of 2006."
A fuller description of the output from the workshop and next steps
are available to members of The Messaging and Security Forums and can be found
here.
S/MIME Gateway Certification
It is one year since the introduction of the S/MIME Gateway
Certification program to guarantee interoperability of products that
encrypt email at the domain gateway.
Ben Littauer provided a report of deployment to date within
the Healthcare Community in Massachusetts. Products from three vendors
have been deployed operationally.
Stephan Wappler identified barriers to deployment in Europe
that need to be addressed in planning future versions of the profile:
- Automated retrieval, management, and validation of certificates
containing domain keys
- Improved interoperability with desktop encryption solutions
