NIST is examining Secure Multipurpose Internet Mail Extension (S/MIME) standards and products with a goal of improving the security and interoperability of S/MIME products.

NIST has developed a Federal S/MIME V3 Client Profile, (NIST Special Publication 800-49) for security and interoperability based on IETF specifications. The profile includes all mandatory features of the IETF RFCs with the EXCEPTION that implementation of RFC 2631 Diffie-Hellman Key Agreement cryptographic algorithm mandated in IETF RFC 2630 is NOT required. (The IETF has deleted mandatory implementation of the Diffie-Hellman Key Agreement algorithm from the next/revised set of RFCs that will specify S/MIME V3.) In addition, the profile mandates certain optional features required for interoperability and security in secure email products. The primary audience is federal agencies, but the profile may be used by private sector and local governments as well.

NIST has an Internet-based automated testing facility under development. This automated "testbed" will help ensure conformance to the S/MIME V3 Client profile, help ensure conformance to related specifications (RFCs), and help ensure interoperability of S/MIME V3 products. As part of the automated testing facility, a S/MIME V3 reference implementation has been deployed. The reference implementation will include support for both originator and recipient roles and will conform to the proposed NIST S/MIME V3 security and interoperability profile, including optional features. Thus, the reference implementation will serve to validate not only S/MIME V3 implementations, but the NIST profile as well. The test facility is expected to be available for limited testing in the third quarter of 2003.