N-1-1-040.33.1 Security Initiatives In the Internet by Dr. Stephen Kent* The Internet has grown to encompass over 5000 "connected" networks spanning numerous countries. Internet technology is employed not only in academic and research networks, but also in an increasing number of commercial networks. Although this technology has brought many benefits to its subscriber community, e.g., multi-vendor and multi-platform interoperability, security and privacy concerns have never been at the forefront of the technology. Several initiatives are underway to incorporate security and privacy technology into Internet protocols, including Privacy Enhanced Mail (PEM), SNMP security extensions, and Common Authentication Technology (CAT). This article briefly explores PEM. Privacy Enhanced Mail is an extension to the familiar RFC 822/SMTP electronic mail system which is used extensively throughout the Internet and which has links to many other major electronic mail systems, e.g., BITNET, EARN, UUNET and many commercial electronic mail systems. PEM allows a message originator to affix a digital signature to a message, so that each message recipient can verify the identity of the sender and the integrity of the message. Signed messages may be forwarded to third parties who can, in turn, verify the identity of the (original) sender and the integrity of the original message. A message originator also may elect to encrypt the message, protecting it against disclosure while the message is in transit or residing in a mailbox. As part of developing the PEM standards, an infrastructure is being established which will include a facility for organizations and individuals to be "certified", i.e., to bind a public key to the individual's or organization's name. The resulting certification system will be used not only with PEM, but also provides essential security capabilities for use with a variety of applications, including X.500 directory authentication and the CAT system noted above. In recognition of personal privacy concerns, provisions are being made to support PEM users who do not wish to disclose their identity but do want to make use of the security facilities in an "anonymous" fashion. The availability PEM and its associated certification infrastructure may expand the ways in which the Internet may be employed. For example, applications requiring transmission of data that was deemed too sensitive for unprotected messaging may now be able to make use of the Internet. New applications may arise which make use of the PEM digital signature facility to support billing for various services accessed via the network. The Internet Society is slated to play an important role in the certification system alluded to above. Current plans call for the Society to serve as the root of the certification hierarchy, and to provide a clearinghouse database to help avoid name collisions in the certification process. Members should be proud of the pioneering role the Internet Society is playing. *Chief Scientist, Communications Division, Bolt Beranek and Newman, Inc.