Skip to content.
|Networking government in New Zealand.
You are here: Home » Services » SEEMail » Draft Interim Guidelines for the use of Public Key Technology in Government » 10 Individual-to-individual secure email

10 Individual-to-individual secure email

  1. For small closed groups of users requiring high security, individual-to-individual secure email is still appropriate. A clear example of this is interaction between an IT security officer and private sector IT security auditors.

2 Essential requirements for client S/MIME

  • Certificates and certificate authorities as per above

  • S/MIME version 2 or 3

  • Good CRL or OCSP handling (not essential for a small group)

  • Be able to be configured to encrypt using 3DES only

3 Recommended requirements for client S/MIME

  • Certificates and certificate authorities as per above

  • S/MIME version 3

  • Good CRL or OCSP handling

  • Be able to be configured to encrypt using 3DES only

  • LDAP retrieval of individuals' certificates (essential for a group over 12 people)

4 Email clients

  1. Questions about specific email clients should be directed to the S.E.E. Project Team directly.

5 Distribution lists and listserves

  1. Local distribution lists can work well if the client can associate distribution list entries with certificates in some way, e.g. on the fly list expansion and lookup via LDAP, however this sort of functionality needs to be tested with each mail client.

  2. Some directory products may be able to return lists of entries for a single entry in the directory, however client support would also need to be confirmed. If this works, then we would have centrally managed distribution lists.

  3. Listserves do not work with S/MIME encryption, as the client does not have the certificates for the final recipients. S/MIME v3 ESS Mail List Agents (MLAs) are designed to work around this. The MLA manages lists and membership of those lists. An MLA has a certificate so that the message from the sender to the MLA can be encrypted. The MLA can decrypt the message, retrieve the certificates for the intended recipients, encrypt the message for those recipients, and send it on its way.

6 Future

  1. S/MIME support in email clients is developing and in some products can now be considered mature as at time of writing.

  2. S/MIME version 3's optional Enhanced Security Services: Mail List Agents, Security Labels, and Signed Receipts will gradually be adopted by various products.


[ Previous | Next ]