Sean
I reached Joe Miller of the MHDC just to see what their take on how things were going with regards to secure email. Below is Joe's response. MHDC has studied this topic for several years. I should preface his email by saying that, there are generally two approaches to secure email: (1) every individual has their own key, and (2) organizations each have their own key. Approach (1) is probably the most intuitive approach but you end up with a large number of keys to manage. This, in turn, has always been a significant hurtle to overcome (managing large number of keys, particular from different CAs can be quite costly and a hassle for the end user). In an effort to limit the number of 'keys' in use MA went with a gateway approach to secure email. That is, the organization's server had a key rather than each individual person having a key. This greatly reduces the number of keys that need to be managed.
<begin clip>
Inter-operability is clearly still a major issue... and I believe our
initiative is the only "cross vendor" secure email solution being explored
in the marketplace. We are making slow but steady progress in MA.
Two organizations (Tufts Health Plan and CareGroup hospital system) have
purchased S/MIME Gateway -SMG- products (from two different vendors!) with
software that meets the spec we have submitted to the IETF. They
are beginning to send encrypted emails to one another. More importantly,
the Commonwealth of MA is interested in addressing Secure Email and we
have presented to several different groups within the state. They
are very interested in the SMG approach and I expect them to test it with
2-3 healthcare agencies in the next 6 months. If the state chooses
this approach, I expect a bandwagon effect will influence other MA healthcare
orgs to pursue SMGs.
This web site
has most of the relevant information
<end clip>
For those of you who are not familiar with how digital signatures work, UHIN has a powerpoint presentation on the topic. Go to www.uhin.com - Education and scroll down to the "presentations" section. Look at "UHIN's Digital Signature Presentation". It's a little out of date, but the basics still apply.
Jan Root
Sean Steele wrote:
Jan,As I recall that study (announced by Mass Health Data Consortium on
4/24/01) became one of the main factors in vendors' standardization on
X.509v3. The major difference being that proprietary "extensions" to
X.509 were accounted for in v3 whereas they had impeded interoperability
in previous versions.Interoperability was a major problem with the industry, but I have not
seen or heard any significant mention of it (in the context of
cross-enterprise secure mail exchange) in more than a year.Everyone should know to avoid proprietary cryptography (and PGP) like
the plague; Network Associates recently put its main PGP security
products out to pasture.--
Sean Steele
National Account Manager
Tovaris, Inc.
[EMAIL PROTECTED]
v +1.703.465.0964
f +1.703.465.2435"Jan Root" wrote:
> One more point to add (sorry to keep raining on a good idea): Interoperability has always been a major challenge to doing secure email. If I buy secure
> email system X and you buy secure email system Y, can we exchange secure email? Probably not.
>
> The Massachusetts component of HealthKey (the Mass. Health Data Consortia) did an interoperability project for secure email. I think they started with 6
> (5?) secure email vendors, all of which claimed to have implemented the X.509 (v3?) standard. However, when tested, none of these systems could read
> each other's email. This was a couple of years ago so perhaps this problem has been solved, but interoperability is something to consider if you are
> looking at secure email systems.
>
> And then there is the problem of trying to send secure email to someone who doesn't have secure email facilities. Vendors have come up with clever
> ways to deal with this, but it is far from being automatic or transparent. Secure email still seems to be much more difficult than it appears on first blush.
>
> Jan Root
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
