Secure Messaging Challenge Technical Demonstration The Open Group EMA Forum
Boeing s Messaging Needs Provide access to strongly encrypted e-mail outside the enterprise Reduce complexity of deploying secure e-mail Present a single solution which can span the enterprise Provide broadly acceptable solution to customers, partners, suppliers
Technical Requirements Use X.509 v3 CA Services Self-signed or purchased commercial certificates RSA algorithm with minimum 1024-bit key length Provide standards-based directory services accessible via the public Internet Certificate stored in standard usercertificate attribute Provide S/MIME compliant messaging client capable of requesting certificates from the directory Provide S/MIME compliant email system Follow current standards regarding S/MIME, X.509 v3 and LDAP v3 COTS or open source products only
Scope Organization 2 Intranet Challenge Boundary Organization 1 Intranet Request to LDAP proxy with recipient's address External LDAP Proxy Internal LDAP Proxy LDAP Server with User Entries & Certificates LDAP Server or Proxy x509 v3 Public Key Desktop PC Desktop PC Network Firewall Public Network Network Firewall S/MIME Compliant Email Server Normal Message Route Normal Message Route Messaging Backbone Services Exchange Server
Deliverables Toolkit PKI Overview Certificate practices, guidelines and recommendations Lessons Learned Example architectures Comprehensive testing results Peer reviewed report of findings and recommendations
EMA Challenge Timeline Recruiting Scope Initial Architecture Testing and Validation Reporting and Demonstration Deployment Jul Sep Oct Nov Dec Jan Feb 2001 2002 Mar Apr
Lynx Systems Lotus Notes and Test Solution A: Server: Lotus Notes 5.0.8 Client: Lotus Notes 5.0.8 LDAP: Lotus Notes 5.0.8 Microsoft Exchange Test Solution B: Server: Microsoft Exchange 2000 Client: Microsoft Outlook 2000 SR1 and Security Patch LDAP: Linux with Open LDAP PKI Self-Signed Signed Root Certificate Authority on Microsoft Windows 2000 CA Server, Standalone
Email Server Lotus Notes DMZ A Notebook Mobile User Intranet Firewall Notebook Work Station Firewall Internet MS Windows 2000 PKI Linux Server + Open LDAP DMZ B Email Server Exchange
Boeing Demo Environment Messaging Environment Server: Microsoft Exchange 2000, and Key Management Server Client: Outlook 2000 SP2 Directory Environment Windows 2000 Active Directory PKI Environment Boeing Self-signed Root Microsoft Windows 2000 Standalone Subordinate CA Server LDAP presence Internal and External LDAP Proxy Servers Maxware Virtual Directory
Boeing Demo Environment Boeing Test Self-Sign Root Certificate Authority Internet Microsoft Windows 2000 Test Standalone Subordinate Certificate Authority External LDAP Proxy Maxware Virtual Directory Internal LDAP Proxy Maxware Virtual Directory Microsoft Windows 2000 Active Directory Microsoft Exchange 2000 Workstation With Microsoft Outlook 2000 SP2 Firewall Microsoft Exchange 2000 Key Management Server
SMTP/Vendor Certificate Architecture Messaging Environment Server: Sendmail 8.11.0 and POP3 daemon on Linux Client: Outlook 2000 SP2 Directory Environment Directory.verisign verisign.com Directory server for Verisign issued certificates PKI Environment Purchased Verisign Class 1 X.509 V.3 certificates
SMTP/Vendor Certificate Architecture Purchased user certificates from directory.verisign.com Internet Workstation with Microsoft Outlook 2000 SP2 Linux with Sendmail 8.11 & POP3 daemon
Demonstration Scenario 1 Boeing Exchange to Lynx Exchange Directory lookup Send/Receive encrypted message Scenario 2 Lynx Notes to Smtptestbed.com Directory lookup Send/Receive encrypted message Scenario 3 Smtptestbed.com to Boeing Exchange Directory lookup Send/Receive encrypted message Scenario 4 Lynx Exchange to Lynx Notes Directory lookup Send/Receive encrypted message
Lynx Test Environment Demonstration Environment Notebook Mobile User Intranet Email Server Lotus Notes DMZ A Notebook Firewall Boeing Test Environment MS Windows 2000 PKI Linux Server + Open LDAP DMZ B Email Server Exchange Internet Boeing Test Self-Sign Root Certificate Authority Microsoft Windows 2000 Test Standalone Subordinate Certificate Authority SMTPTESTBED.COM Test Environment External LDAP Proxy Maxware Virtual Directory Internal LDAP Proxy Maxware Virtual Directory Firewall Microsoft Windows 2000 Active Directory Microsoft Exchange 2000 Workstation With Microsoft Outlook 2000 SP2 Workstation with Microsoft Outlook 2000 SP2 Linux with Sendmail 8.11 & POP3 Daemon Purchased user certificates can be found at directory.verisign.com Microsoft Exchange 2000 Key Management Server
Scenario 1 Boeing to Lynx Exchange Directory Lookup
Scenario 1 Boeing to Lynx Exchange Read Encrypted Message
Scenario 2 Lynx Notes to Smtptestbed.com Directory Lookup
Scenario 2 Lynx Notes to Smtptestbed.com Read Encrypted Message
Scenario 3 Smtptestbed.com to Boeing Directory Lookup
Scenario 3 Smtptestbed.com to Boeing Recipient Read Encrypted Message
Scenario 4 Lynx Exchange to Notes Encrypted Message
Scenario 4 Lynx Microsoft Exchange to Lotus Notes Encrypted Mail