Draft NIST Special Publication 800-177, Trustworthy Email

Draft NIST Special Publication 800-177, Trustworthy Email

This (First) DRAFT of Special Publication 800-177 document has been superceded by the following draft publication: The first draft has been attached for HISTORICAL PURPOSE – PLEASE refer to the Second Draft (see details below): Publication Number: Second Draft Special Publication 800-177 Title: Trustworthy Email Publication Date: March 2016 Second Draft Publication: http://csrc.nist.gov/publications/PubsDrafts.html#800-177 Information on other publications: http://csrc.nist.gov/publications/ The following information was posted with the attached DRAFT document: NIST requests comments on the second draft of Special Publication (SP) 800-177, Trustworthy Email. This draft is a complimentary guide to NIST SP 800-45 Guidelines on Electronic Mail Security and covers protocol security technologies to secure email transactions. This draft guide includes recommendations for the deployment of domain-based authentication protocols for email as well as end-to-end cryptographic protection for email contents. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Email content security is facilitated through encryption and authentication of message content using S/MIME and/or Transport Layer Security (TLS) with SMTP. This guide is written for the federal agency email administrator, information security specialists and network managers, but contains general recommendations for all enterprise email administrators. The public comment period April 29th, 2016. Email comments [email protected] 1 DRAFT NIST Special Publication 800-177 2 Trustworthy Email 3 4 5 Ramaswamy Chandramouli 6 Simson Garfinkel 7 Stephen Nightingale 8 Scott Rose 9 10 11 12 13 14 15 16 17 18 19 C O M P U T E R S E C U R I T Y 20 21 22 DRAFT NIST Special Publication 800-177 23 Trustworthy Email 24 25 Scott Rose, Stephen Nightingale 26 Information Technology Laboratory 27 Advanced Network Technology Division 28 29 Simson L. Garfinkel 30 Information Technology Laboratory 31 Information Access Division 32 33 Ramaswamy Chandramouli 34 Information Technology Laboratory 35 Computer Security Division 36 37 38 39 40 41 42 43 September 2015 44 45 46 47 48 49 U.S. Department of Commerce 50 Penny Pritzker, Secretary 51 52 National Institute of Standards and Technology 53 Willie May, Under Secretary of Commerce for Standards and Technology and Director 54 Authority 55 This publication has been developed by NIST in accordance with its statutory responsibilities under the 56 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3541 et seq., Public Law 57 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, 58 including minimum requirements for federal information systems, but such standards and guidelines shall 59 not apply to national security systems without the express approval of appropriate federal officials 60 exercising policy authority over such systems. This guideline is consistent with the requirements of the 61 Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information 62 Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental 63 information is provided in Circular A-130, Appendix III, Security of Federal Automated Information 64 Resources. 65 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory 66 and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should 67 these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of 68 Commerce, Director of the OMB, or any other federal official. This publication may be used by 69 nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. 70 Attribution would, however, be appreciated by NIST. 71 National Institute of Standards and Technology Special Publication 800-177 72 Natl. Inst. Stand. Technol. Spec. Publ. 800-177, 87 pages (September 2015) 73 CODEN: NSPUE2 74 This publication is available free of charge 75 76 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 77 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 78 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 79 available for the purpose. 80 There may be references in this publication to other publications currently under development by NIST in 81 accordance with its assigned statutory responsibilities. The information in this publication, including concepts and 82 methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, 83 until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain 84 operative. For planning and transition purposes, federal agencies may wish to closely follow the development of 85 these new publications by NIST. 86 Organizations are encouraged to review all draft publications during public comment periods and provide feedback 87 to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at 88 http://csrc.nist.gov/publications. 89 Comments on this publication may be submitted to [email protected] 90 Public comment period: through November 30, 2015 91 National Institute of Standards and Technology 92 Attn: Advanced network Technologies Division, Information Technology Laboratory 93 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920 94 Email: [email protected] 95 ii 96 Reports on Computer Systems Technology 97 The Information Technology Laboratory (ITL) at the National Institute of Standards and 98 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 99 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 100 methods, reference data, proof of concept implementations, and technical analyses to advance 101 the development and productive use of information technology. ITL’s responsibilities include the 102 development of management, administrative, technical, and physical standards and guidelines for 103 the cost-effective security and privacy of other than national security-related information in 104 federal information systems. The Special Publication 800-series reports on ITL’s research, 105 guidelines, and outreach efforts in information system security, and its collaborative activities 106 with industry, government, and academic organizations. 107 Abstract 108 This document gives recommendations and guidelines for enhancing trust in email. The primary 109 audience includes enterprise email administrators, information security specialists and network 110 managers. This guideline applies to federal IT systems and will also be useful for any small or 111 medium sized organizations. Technologies recommended in support of core Simple Mail 112 Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for 113 authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail 114 (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). 115 Recommendations for email transmission security include Transport Layer Security (TLS) and 116 associated certificate authentication protocols. Email content security is facilitated through 117 encryption and authentication of message content using S/MIME and OpenPGP, and associated 118 certificate and key distribution protocols. 119 120 Keywords 121 Email; Simple Mail Transfer Protocol (SMTP); Transport Layer Security (TLS); Sender Policy 122 Framework (SPF); Domain Keys Identified Mail (DKIM); Domain based Message 123 Authentication, Reporting and Conformance (DMARC); Domain Name System (DNS) 124 Authentication of Named Entities (DANE); S/MIME; OpenPGP. iii 125 126 Acknowledgements 127 Audience 128 This document gives recommendations and guidelines for enhancing trust in email. The primary 129 audience for these recommendations is enterprise email administrators, information security 130 specialists and network managers. While some of the guidelines in this document pertain to 131 federal IT systems and network policy, most of the document will be more general in nature and 132 could apply to any small-mid sized organization. 133 For most of this document, it will be assumed that the organization has some or all responsibility 134 for email and can configure or manage its own email and Domain Name System (DNS) systems. 135 Even if this is not the case, the guidelines and recommendations in this document may help in 136 education about email security and can be used to produce a set of requirements for a contracted 137 service. 138 Note to Reviewers 139 This document is considered a DRAFT publication. Reviews and comments are welcome and 140 should be sent via email to [email protected]. The public comment period runs from 141 MM/DD/YYYY to MM/DD/YYYY. 142 Trademark Information 143 All registered trademarks belong to their respective organizations. iv NIST SP 800-177 Trustworthy Email 144 Executive Summary 145 This document gives recommendations and guidelines for enhancing

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    89 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us