Domain Security Services using S/MIME (RFC3183)
Original Publication Date: 2001-Oct-01
Included in the Prior Art Database: 2001-Nov-13
Internet Society Requests For Comment (RFCs)
T. Dean: AUTHOR [+1]
This document describes how the S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol can be processed and generated by a number of components of a communication system, such as message transfer agents, guards and gateways to deliver security services. These services are collectively referred to as 'Domain Security Services'.
Network Working Group T. Dean
Request for Comments: 3183 W. Ottaway
Category: Experimental QinetiQ
Domain Security Services using S/MIME
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document describes how the S/MIME (Secure/Multipurpose Internet
Mail Extensions) protocol can be processed and generated by a number
of components of a communication system, such as message transfer
agents, guards and gateways to deliver security services. These
services are collectively referred to as 'Domain Security Services'.
Significant comments were made by Luis Barriga, Greg Colla, Trevor
Freeman, Russ Housley, Dave Kemp, Jim Schaad and Michael Zolotarev.
The S/MIME  series of standards define a data encapsulation format
for the provision of a number of security services including data
integrity, confidentiality, and authentication. S/MIME is designed
for use by messaging clients to deliver security services to
distributed messaging applications.
The mechanisms described in this document are designed to solve a
number of interoperability problems and technical limitations that
arise when different security domains wish to communicate securely,
for example when two domains use incompatible messaging technologies
such as the X.400 series and SMTP/MIME, or when a single domain
wishes to communicate securely with one of its members residing on an
untrusted domain. The scenarios covered by this document are
domain-to-domain, individual-to-domain and domain-to-individual
Dean & Ottaway Experimental [Page 1]
RFC 3183 Domain Security Services using S/MIME October 2001
communications. This document is also applicable to organizations
and enterprises that have internal PKIs which are not accessible by
the outside world, but wish to interoperate securely using the S/MIME
There are many circumstances when it is not desirable or practical to
provide end-to-end (desktop-to-desktop) security services,
particularly between different security domains. An organization
that is considering providing end-to-end security services will
typically have to deal with some if not all of the following issues:
1) Heterogeneous message access methods: Users are accessing mail
using mechanisms which re-format messages, such as using Web
browsers. Message reformatting in the Message Store makes end-
to-end encryption and signature validation impossible.
2) Message screening and audit: Server-based mechanisms such as
searching for prohibited words or other content, virus scanning,
and audit, are incompatible with end-to-end encryption.
3) PKI deployment issues: There may not be any certificate paths
between two organizations. Or an organization ...