Feeds

Military industrial complex aims to revamp email

Trust but verify

SANS - Survey on application security programs

A consortium of British and US military agencies and defense and aerospace firms have agreed a new standard for secure email. Security experts are watching the developments closely, but are unsure how much of the specification will make it into public use or commercial email security products.

The secure email specification from the The Transglobal Secure Collaboration Program (TSCP) aims to address email's inherent identity and data transmission security flaws. The specification covers a method for authenticating users that creates a Public Key Infrastucture system that could act as the backbone for other forms of electronic collaboration.

The requirements were defined and endorsed by the members of the TSCP: the US Department of Defense (DoD), UK Ministry of Defence (MoD), BAE Systems, Boeing, EADS, Lockheed Martin, Northrop Grumman, Raytheon, and Rolls-Royce.

The US Defence Department intends to use the specification to protect "controlled but unclassified information". The MoD also expects to deploy the capability enterprise-wide in 2008 for classifications up to "UK Restricted".

The TSCP implementation is based on TSCP-defined publicly available specifications which organisations must follow to assign vetted identity information to all email senders and recipients. The current implementation was constructed with commercial-off-the-shelf (COTS) products, open source software, and a commercial trusted third-party service, CertiPath. The resulting digital certificate-based system ensures that information only travels to and from trusted parties. The framework plugs into either Lotus Notes or Outlook clients.

PKI has long been touted as the next big thing in information security. But the difficulty of putting in such systems and integrating them with other platfors has made the technology complicated and costly. Even though most aspects of the TSCP approach are public, it's unclear how much impact the approach will have in the wider world outside military organisations and their contractors.

"I don't know how much of this will end up public. Certainly I'm interested. And certainly email could use a major security overhaul," security guru Bruce Schneier told El Reg. "People are abandoning the medium in favour of others that are less spam-filled." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.