Transparent Internet E-mail Security

This paper describes the design and prototype implementation of a comprehensive system for securing Internet e-mail transparently, so that the only user intervention required is the initial setup and speciication of a trust policy. Our system uses the PolicyMaker trust management engine for evaluating the trustworthiness of keys, in particular whether the given binding between key and name is valid. In this approach, user policies and credentials are written as predicates in a safe programming language. These predicates can examine the graph of trust relationships among all the credentials presented. Thus, credentials can express higher-order policies that depend upon global properties of the trust graph or that impose speciic conditions under which keys are considered trusted. \Standard" certiicates, such as pgp and X.509, are automatically translated into simple PolicyMaker credentials that indicate that the certi-er trusts a binding between a key and a name and address, and certiiers can also issue more sophisticated credentials written directly in the PolicyMaker language. Our system does not assume any particular public key, certiicate, or message format. Our prototype implementation, which runs under most versions of Unix, accepts pgp key certiicates as well as our own credentials, and uses standard pgp message formats. Thus, our system inter-operates with the existing infrastructure of secure e-mail applications while providing additional exibility at those sites where the system is used. We plan also to support s/mime and other message formats, X.509 certiicates, and Win32-based platforms.