Transparent Internet E-mail Security


Raph Levien, Lewis McCarthy, and Matt Blaze
Affiliation: AT&T Laboratories
Abstract: This paper describes the design and prototype implementation of a comprehensive system for securing Internet e-mail transparently, so that the only user intervention required is the initial setup and specification of a trust policy. Our system uses the PolicyMaker trust management engine [BFL] for evaluating the trustworthiness of keys, in particular whether the given binding between key and name is valid. In this approach, user policies and credentials are written as predicates in a safe programming language. These predicates can examine the graph of trust relationships among all the credentials presented. Thus, credentials can express higher-order policies that depend upon global properties of the trust graph or that impose specific conditions under which keys are considered trusted. ``Standard'' certificates, such as PGP and X.509, are automatically translated into simple PolicyMaker credentials that indicate that the certifier trusts a binding between a key and a name and address, and certifiers can also issue more sophisticated credentials written directly in the PolicyMaker language.

Our system does not assume any particular public key, certificate, or message format. Our prototype implementation, which runs under most versions of Unix, accepts PGP key certificates as well as our own credentials, and uses standard PGP message formats. Thus, our system interoperates with the existing infrastructure of secure e-mail applications while providing additional flexibility at those sites where the system is used. We plan also to support SMIME and other message formats, X.509 certificates, and Win32-based platforms.

[BFL] M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized Trust Management," IEEE Symposium on Security and Privacy, Oakland CA, May 1996.

For more information, contact raph@cs.berkeley.edu, lmccarth@cs.umass.edu, or mab@research.att.com