EEMA Security Framework Announcement

28 May 1998
Date: Thu, 28 May 1998 12:15:26 +0100
To: ukcrypto@maillist.ox.ac.uk
From: Robert Willmott <rhw@makra.demon.co.uk>
Subject: EEMA Security Framework announcement

The European Eectronic Messaging Association Security Privacy and Legal
Committee (EEMA - SPLC) will formally launch its Framework for Secure
Inter-Organisational Messaging at its Annual Conference on Tuesday 2nd
June next week. It may be of interest to members of this list since it
addressess a number of issues which have arisen on this list over the
last months:

(1) Use of dual keys and algorithms to separate Signatures from
Confidentiality as far as is possible to underline the desire to avoid
escrow of signature keys;

(2) Business definition of the meanings of the security functions made
available to the user (i.e. distinctions are made between digital
signatures generated for the Authentication/Integrity an SIGNATURE
functions);

(3) A mechanism for contractually binding users of the framework to the
signatures they generate by means of hand signatures to a Memorandum of
Understanding. The MoU acts as a mutilateral contract between all who
sign it - the MoUs are administered by CAs;

(4) Mapping the standards security functions and processing onto a
variety of electronic messaging and information object formats (but
retaining the same security semantics);

(5) Cryptographic Algorithm flexibility - users declare their
cryptographic capabilities in their X.500 Directory entry together with
their X.509 Certificates. A cryptographic profile of algorithms is
suggested, but users may declare and use others if need be;

(6) Support for Authentication, Signature, Non-Repudiation of Receipt,
Notarisation, Confidentiality, Firewalls (in some messaging systems
through Labels), Message Sequence Integrity;

EEMA is seeking ways of implementing a pilot project based on the
framework, involving X.500 Directories, CAs, Messaging System Suppliers,
Security System suppliers, and Users.

There are three documents:

        The Memorandum of Understanding (the user contract);
        The Framework - the technical specification;
        A Guide.

The first two can be obtained from the EEMA WEB site
(http://www.eema.org/). The guide is free to members, but a charge will
be made to non-members.

EEMA is an association which brings together all who are interested in
messaging and the messaging market. Its members include service
providers, suppliers and users.

I would be interested in any comments on the framework, and anyone who
would like to get involved in implementing it. 

Regards
-- 
Robert Willmott - Independent IT Communications Consultant
Tel: +44 1 7327 62211
Fx:  +44 1 7327 61257