The Domain Name System-Based Security for Electronic Mail project will produce a proof of concept security platform that will demonstrate trustworthy email exchanges across organizational boundaries. The product of the project will include authentication of mail servers, signing and encryption of email, and binding cryptographic key certificates to the servers. Domain Name System Security Extension (DNSSEC) protocols will be used to authenticate server addresses and certificates by binding the X.509 certificates used for Transport Layer Security (TLS) to DNS names verified by DNSSEC. The business value of the security platform that will result from this project will not only improve privacy and security protection for users’ operations, but will also expand the set of available DNS security applications and encourage wider implementation of the protocols that provide Internet users confidence that entities to which they believe they are connecting are the entities to which they are actually connecting. This project will result in one or more demonstration prototype DNS-based secure email platforms, a publicly available NIST Cybersecurity Practice Guide that explains how to employ the platform(s) to meet Federal and industry security and privacy requirements, platform documentation necessary to compose a DNS-based email security platform from off-the-shelf components, and any recommendations for improvements to applicable standards documentation. The secure email project will involve composition of a variety of components that will be provided by a number of different vendors. Client systems, DNS/DNSSEC services, mail transfer agents, and certificate providers (Certificate Authorities or CAs) are included. The NCCoE is currently entering into cooperative research and development agreements with technology providers for components and expertise including DNS resolvers (stub and recursive) for DNSSEC, authoritative DNS servers for DNSSEC signed zones, mail servers and mail security components, and extended validation and domain validation TLS certificates.
The Domain Name System-Based Security for Electronic Mail project will produce a proof of concept security platform that will demonstrate trustworthy email exchanges across organizational boundaries. The product of the project will include authentication of mail servers, signing and encryption of...
See full abstract
The Domain Name System-Based Security for Electronic Mail project will produce a proof of concept security platform that will demonstrate trustworthy email exchanges across organizational boundaries. The product of the project will include authentication of mail servers, signing and encryption of email, and binding cryptographic key certificates to the servers. Domain Name System Security Extension (DNSSEC) protocols will be used to authenticate server addresses and certificates by binding the X.509 certificates used for Transport Layer Security (TLS) to DNS names verified by DNSSEC. The business value of the security platform that will result from this project will not only improve privacy and security protection for users’ operations, but will also expand the set of available DNS security applications and encourage wider implementation of the protocols that provide Internet users confidence that entities to which they believe they are connecting are the entities to which they are actually connecting. This project will result in one or more demonstration prototype DNS-based secure email platforms, a publicly available NIST Cybersecurity Practice Guide that explains how to employ the platform(s) to meet Federal and industry security and privacy requirements, platform documentation necessary to compose a DNS-based email security platform from off-the-shelf components, and any recommendations for improvements to applicable standards documentation. The secure email project will involve composition of a variety of components that will be provided by a number of different vendors. Client systems, DNS/DNSSEC services, mail transfer agents, and certificate providers (Certificate Authorities or CAs) are included. The NCCoE is currently entering into cooperative research and development agreements with technology providers for components and expertise including DNS resolvers (stub and recursive) for DNSSEC, authoritative DNS servers for DNSSEC signed zones, mail servers and mail security components, and extended validation and domain validation TLS certificates.
Hide full abstract