S/MIME Pilot Project
 Higher Education PKI
Technical Activities Group
 (HEPKI-TAG)
 
 
Project FAQs (under development)

  1. Why S/MIME and why not PGP?
    Perhaps the simplest answer to this question is that popular email clients come with built-in and relatively easy to use support for S/MIME. PGP is available for many email clients but its use is often complicated by the need for users to locate and install appropriate plug-in software.

    While they share many technical similarities, PGP and S/MIME are generally deployed using different trust models. S/MIME typically relies on a Certification Authority (CA) and users inherit trust from the operators of the CA. PGP generally uses some out-of-band mechanism for end-users to exchange public keys. With S/MIME, users simply trust the Certification Authorities and software. With PGP, users must first authenticate the remote user and obtain a copy of their public key before the start of secured communications.

  2. How does S/MIME relate to HIPAA?
    While the HIPAA security standards are not yet published, some medical centers believe that the use of S/MIME to sign and encrypt email messages may be one part of their overall strategy.

  3. What are some of the major issues with the use of encrypted email?
    One of the major issues with the use of encrypted email is the long term danger associated with the loss of the private key that is able to decrypt the archived messages. For example, when a user stores a copy of all messages sent into a sentmail folder, S/MIME email clients place the encrypted version of the message into the folder. A user who needs to view the contents of these messages at a later date will not be able to do so unless the appropriate private key is still available. Adequate backups of all certificates and their matching private keys must be made and maintained throughout the period of time when the user may wish to examime old encrypted messages.

  4. "S/MIME Cookbook." (under development)

  5. Getting started - for testers (tbd - campus based for now?)

  6. How might S/MIME be used with mailing lists?
    This question can be interpreted in two different ways. The first is if the use of S/MIME imposes any special requirements on mailing list software. The second question is what new services might be possible using signed email with S/MIME-aware mailing list software.

    The default configuration on some mailing list software causes small translations in the message body. For example, a mailing list server might translate tab characters into a fixed number of spaces. While this may help cross-platform readability, it is guaranteed to cause problems with verifying the signed email. Mailing list software should always be configured to make no changes to the content portions of a message.

    One facet of mailing list software that could be enhanced via the use of S/MIME is in the area of restricted email lists. S/MIME-signed email provides strong authentication of the sender of a message. Email signatures could be used to facilitate lists that only members of the list can post to. Likewise, stronger authentication of list moderators would be relatively easy to implement.

  7. What are the export restrictions on various S/MIME email clients?
    Some S/MIME capable email clients may still have export restrictions. You should not export any product that employs strong cryptography without first checking with the manufacturer on any potential export restrictions.