Network Working Group L. Cailleux
Internet-Draft DGA MI
Intended status: Experimental C. Bonatti
Expires: 16 April 2012 IECA
16 October 2011
Securing Header Fields with S/MIME
draft-cailleux-secure-headers-00
Abstract
This document describes how the S/MIME protocol can be extended in
order to secure message header fields. This technology provides
security services such as data integrity, non-repudiation and
confidentiality. This extension is referred to as 'Secure Headers'.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 April 2012.
Draft Version 0.26 (20110728)
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Cailleux Expires 16 April 2012 [Page 1]
Internet-Draft Securing Header Fields with S/MIME October 2011
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document MUST
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction...................................................2
2. Terminology and conventions used in this document..............3
3. Context........................................................3
4. Mechanisms to secure message header fields.....................5
4.1. ASN.1 syntax of secure header fields......................6
4.2. Secure header fields length and format....................7
4.3. Canonization algorithm....................................7
4.4. Header fields statuses....................................8
4.5. Signature Process.........................................8
4.5.1. Signature Generation Process.........................8
4.5.2. Signature verification process.......................9
4.6. Encryption and Decryption Processes......................11
4.6.1. Encryption Process..................................11
4.6.2. Decryption Process..................................12
5. Case of triple wrapping.......................................13
6. Security Considerations.......................................13
7. References....................................................13
7.1. Normative References.....................................13
7.2. Informative References...................................14
Appendix A. Formal syntax of Secure Header.......................15
Appendix B. Secure Header Fields example.........................16
Appendix C. Acknowledgements.....................................18
1. Introduction
S/MIME [RFC5751] standard defines a data encapsulation format for the
achievement of end to end security services such as integrity,
authentication, non-repudiation and confidentiality. By default,
S/MIME secures message body parts, at the exclusion of the message
header fields.
S/MIME provides an alternative solution to secure header fields. "The
sending client MAY wrap a full MIME [RFC2045] message in a
message/rfc822 wrapper in order to apply S/MIME security services to
header fields". However, the S/MIME solution doesn't allow selection
Cailleux & Bonatti [Page 2]
Internet-Draft Securing Header Fields with S/MIME October 2011
of a subset of message header fields to secure. In addition,
confidentiality service can not be implemented for message header
fields. The solution described herein overcomes those limitations.
Several security standards exist such as DKIM [RFC4871], STARTTLS
[RFC3207] and TLS with IMAP [RFC2595] but meet other needs (signing
domain, secure channels). An internet draft referred to as PROTECTED
HEADERS has been proposed, but doesn't address all the requirements.
These different solutions are explained in the next chapters.
The goal of this document is to define end to end secure header
fields mechanisms compliant with S/MIME standard. This technique is
based on signed attribute fields of a CMS [RFC5652] signature.
2. Terminology and conventions used in this document
The key words "REQUIRED", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",
and "MAY" in this document are to be interpreted as described in "Key
words for use in RFCs to Indicate Requirement Levels" [RFC2119].
MUA, MSA and MTA terms are defined in Email architecture document
[RFC5598].
DCA term is defined in Domain Security specification [RFC3183].
End-to-end Internet Mail exchanges are performed between message
originators and recipients.
Description of message header fields are described in [RFC5322]. A
header field is composed of a name and a value.
3. Context
Over the Internet, email usage has grown and today represents a
fundamental service. Meanwhile, continually increasing threat levels
are motivating the implementation of security services.
Historically, SMTP [RFC5321] and IMF [RFC5322] don't provide, by
default, security services. The S/MIME standard [RFC5751] was
published in order to encompass these needs. S/MIME defines a data
encapsulation format for the provision of end to end security
services such as integrity, authentication, non-repudiation and
Cailleux & Bonatti [Page 3]
Internet-Draft Securing Header Fields with S/MIME October 2011
confidentiality. By default, S/MIME secures message body parts, at
the exclusion of the message header fields. In order to protect
message header fields (for instance, the "Subject", "To", "From" or
customized fields), several solutions exist.
S/MIME defines an encapsulation mechanism, chapter 3.1: "The sending
client may wrap a full MIME message in a message/rfc822 wrapper in
order to apply S/MIME security services to these header fields. It is
up to the receiving client to decide how to present this inner header
along with the unprotected outer header". However, some use cases are
not addressed, especially in the case of message encryption. What
happens when header fields are encrypted? How does receiving client
display these header fields? How can a subset of header fields be
secured? S/MIME doesn't address these issues.
An alternative solution is described in [RFC3850]. "Receiving agents
MUST check that the address in the From or Sender header of a mail
message matches an Internet mail address, if present, in the signer's
certificate, if mail addresses are present in the certificate".
However, this solution only provides a matching mechanism between
email addresses, and provides no protection to other header fields.
Other security standards (introduced below) exist such as DKIM,
STARTTLS and TLS with IMAP but meet other needs (signing domain,
secure channels...).
STARTTLS and TLS with IMAP provide secure channels between components
of email system (MUA, MSA, MTA...) but end to end integrity cannot be
guaranteed.
DKIM defines a domain-level authentication framework for email to
permit verification of the source and contents of messages. It
provides mechanisms to secure message header fields and message body
but it doesn't guarantee non-repudiation and originator
authentication. In addition, it doesn't provide confidentiality
service.
An internet draft referred to as Protected Headers (PRHDRS) has been
proposed. Mechanisms described in this draft are the following. "A
digest value is computed over the canonicalized version of some
selected header fields. This technique resembles header protection in
Cailleux & Bonatti [Page 4]
Internet-Draft Securing Header Fields with S/MIME October 2011
DKIM. Then the digest value is included in a signed attribute field
of a CMS signature". This specification doesn't address all the
requirements. If protected header field has been altered, the
original value cannot be determined by the recipient. In addition,
encryption service cannot be applied on protected header fields.
This document proposes a technology for securing message header
fields. It's referred to as Secure Headers. It is based on S/MIME and
CMS standards. It provides security services such as data integrity,
confidentiality and non-repudiation of sender. Secure Headers is
backward compatible with other S/MIME clients. S/MIME clients who
have not implemented Secure Headers technology need merely ignore
specific signed attributes fields in a CMS signature (which is the
default behavior).
4. Mechanisms to secure message header fields
Secure Headers technology involves the description of a security
policy. This policy MUST describe a secure message profile and list
the header fields to secure.
Secure headers are based on signed attributes field as defined in
CMS. The details are as follows. The message header fields to be
secured are integrated in a structure (secure header structure) which
is encapsulated in signed attributes structure of SignerInfo object.
See Appendix A for an example. For each header field present in the
secure signature, a status can be set. Then, as described in chapter
5.4 of CMS, the message digest calculation process computes a message
digest on the content together with the signed attributes. Details of
the signature generation process are described in chapter 4.5.1 of
this document.
Verification of secure header fields is based on signature
verification process described in CMS. At the end of this process, a
comparison between secure header fields (in signature) and message
header fields is performed. If they match, the signature is valid.
Otherwise, the signature is invalid. Details of the signature
verification process are described in chapter 4.5.2 of this document.
Non-conforming S/MIME clients will ignore the signed attribute
contains a secure headers structure, and only perform the
Cailleux & Bonatti [Page 5]
Internet-Draft Securing Header Fields with S/MIME October 2011
verification process described in CMS. This guarantees backward
compatibility.
Secure headers provide security services such as data integrity, non-
repudiation and confidentiality.
For different reasons (e.g., usability, limits of IMAP [RFC3501]),
encryption and decryption processes are performed by a third party.
The third party that performs these processes is referred to in
Domain Security specification as a "Domain Confidentiality Authority"
(DCA). Details of the encryption and decryption processes are
described in chapters 4.6.1 and 4.6.2 of this document.
The architecture of Secure Headers is presented below. The MUA
performs the signature generation process (C) and signature
verification process (F). The DCA performs the message encryption
process (D) and message decryption process (E). The encryption and
decryption processes are optional.
A Domain B Domain
+------------------------+ +------------------------+
+-----+ +-----+ +-----+ +-----+
| MUA | ---------> | DCA | ------------> | DCA |----------> | MUA |
| C | SignedMsg | D | EncryptedMsg | E | SignedMsg | F |
+-----+ +-----+ +-----+ +-----+
Figure 1: Architecture of Secure Headers
4.1. ASN.1 syntax of secure header fields
ASN.1 notation [X.680] of secure header structure is the follow:
SecureHeaderFields ::= SET {
canonAlgorithm Algorithm,
secHeaderFields HeaderFields}
id-aa-secureHeaderFieldsIdentifier OBJECT IDENTIFIER ::= {iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-
aa(2) secure-headers (to be defined)}
Algorithm ::= ENUMERATED {
canonAlgorithmSimple(0),
Cailleux & Bonatti [Page 6]
Internet-Draft Securing Header Fields with S/MIME October 2011
canonAlgorithmRelaxed(1)}
HeaderFields ::= SET SIZE (1..max-header-fields) OF HeaderField
max-header-fields INTEGER ::= MAX
HeaderField ::= SEQUENCE {
field-Name HeaderFieldName,
field-Value HeaderFieldValue,
field-Status HeaderFieldStatus OPTIONAL
}
HeaderFieldName ::= IA5String
HeaderFieldValue ::= IA5String
HeaderFieldStatus ::= INTEGER
{
duplicated(0), deleted(1), modified(2)
}
4.2. Secure header fields length and format
This specification requires MUA security capabilities in order to
process well formed headers, as specified in IMF. Notice that it
includes long header fields and folded header fields.
4.3. Canonization algorithm
During a message transfer through a messaging system, some components
might modify headers (i.e., space adding or deletion,
lowercase/uppercase rewriting...). This might leads to header fields
comparison mismatch. This emphasizes the need of a conversion process
in order to transform data to their canonical form. This process is
named canonization process.
Two canonization algorithms are considered here, according to DKIM
specification, chapter 3.4. The simple algorithm doesn't allow any
modification whereas the relaxed algorithm accepts slight
modifications like spaces replacement or line reformatting. Given the
scope of this document, canonization mechanisms only involve header
fields.
Cailleux & Bonatti [Page 7]
Internet-Draft Securing Header Fields with S/MIME October 2011
4.4. Header fields statuses
Header fields statuses are required to provide a confidentiality
service toward message headers. Since this mechanism is OPTIONAL, the
status field is also OPTIONAL. The three following statuses MUST be
used:
- Duplicated (default). When this status is present or if no status
is specified, the signature process MUST embed the header field in
the signature.
- Deleted. When this status is present, the signature process MUST
embed the header field in the signature. Then, the encryption
process MUST delete this field from the message. This guarantees
header confidentiality during the message transfer. Mandatory
header fields, as specified in IMF MUST be kept in the message.
- Modified. When this status is present, the signature process MUST
embed the header field in the signature. Then, the encryption
process MUST modify the value of the header field in the message.
This guarantees header confidentiality during the message transfer.
Furthermore, modified values MAY inform a receiver's non-compliant
MUA that secure headers are being used. The new value for each
field is configured by the sender (i.e., this header is secured,
use a compliant client). Mandatory header fields, as specified in
IMF MUST be kept well formed after the modification process. For
example, Date field MUST be compliant with the IMF specification.
4.5. Signature Process
4.5.1. Signature Generation Process
During the signature generation process, the sender's MUA MUST embed
the SecureHeaderFields structure in the signed attributes, as
described in CMS. SecureHeaderFields structure MUST include a
canonization algorithm.
The sender's MUA MUST have a list of header fields to secure,
statuses and a canonization algorithm, as defined by the security
policy.
Cailleux & Bonatti [Page 8]
Internet-Draft Securing Header Fields with S/MIME October 2011
Header fields (names and values) embedded in signed attributes MUST
be the same as the ones included in the initial message.
If different headers share the same name, all instances MUST be
included in the SecureHeaderFields structure.
If multiple signatures are used, as explained in CMS and MULTISIGN
[RFC4853] specifications, SecureHeaderFields structure MUST be the
same in each SignerInfos object.
If a header field is present and its value is empty, HeaderFieldValue
MUST have a zero-length field-value.
Considering secure headers mechanisms, the signature generation
process MUST perform the following steps:
1) Select the relevant header fields to secure. This subset of
headers is defined according the security policy.
2) Apply the canonization algorithm for each selected header
field.
3) Complete the following fields in SecureHeaderFields structure
according to the initial message: HeaderFieldName, HeaderFieldValue,
HeaderFieldStatus (OPTIONAL).
4) Complete the algorithm field according to the canonization
algorithm configured.
5) Embed the SecureHeaderFields structure in the signed attributes
of the SignerInfos object.
6) Compute the signature generation process as described in CMS,
chapter 5.5
4.5.2. Signature verification process
During the signature verification process, the receiver's MUA
compares header fields embedded in the SecureHeaderFields structure
with those present in the message. For this purpose, it uses the
canonization algorithm identified in the signed attributes. If a
Cailleux & Bonatti [Page 9]
Internet-Draft Securing Header Fields with S/MIME October 2011
mismatch appears during the comparison process, the receiver's MUA
MUST invalidate the signature. The MUA MUST display information on
the validity of each header field. It MUST also display the values
embedded in the signature.
The receiver's MUA MUST know the list of mandatory header fields in
order to verify their presence in the message. If a header field
defined in a message is in the secure header list, it MUST be
included in the SecureHeaderFields structure. Otherwise, the
receiver's MUA MUST warn the user that a non-secure header is
present.
Considering secure headers mechanisms, the signature verification
process MUST perform the following steps:
1) Execute the signature verification process as described in CMS,
chapter 5.6. If the signature appears to be invalid, the process
ends. Otherwise, the process continues.
2) Read the type of canonization algorithm specified in
SecureHeaderFields structure.
3) For each field present in the signature, find the matching
header in the message. If there is no matching header, the
verification process MUST warn the user, specifying the missing
header name. The signature is tagged as invalid.
4) Compute the canonization algorithm for each header field value
in the message. If the simple algorithm is used, the steps described
in DKIM, chapter 3.4.1, are performed. If the relaxed algorithm is
used, the steps described in DKIM, chapter 3.4.2, are performed.
5) For each field, compare the value stored in the
SecureHeaderFields structure with the value returned by the
canonization algorithm. If values don't match, the verification
process MUST warn the user. This warning MUST mention mismatching
fields. The signature is tagged as invalid. If all the comparisons
succeed, the verification process MUST also notify the user (i.e.,
using an appropriate icon).
Cailleux & Bonatti [Page 10]
Internet-Draft Securing Header Fields with S/MIME October 2011
6) Verify that no secure header has been added to the message
header, given the initial fields. If an extra header field has been
added, the verification process MUST warn the user. This warning MUST
mention extra fields. The signature is tagged as invalid.
7) Verify that every mandatory headers in the security policy and
present in the message are also embedded in the SecureHeaderField
structure. If such headers are missing, the verification process MUST
warn the user and indicate the names of the missing headers.
The MUA MUST display features for each secure header field (name,
value and status) and canonization algorithm used.
4.6. Encryption and Decryption Processes
Encryption and decryption operations are not performed by MUAs. This
is mainly justified by IMAP limitations. The solution developed here
relies on concepts explained in Domain Security specification,
chapter 4. A fundamental component of the architecture is the Domain
Confidentiality Authority (DCA). Its purpose is to encrypt and
decrypt messages instead of - respectively - senders and receivers.
4.6.1. Encryption Process
All the computations presented in this chapter MUST be performed only
if the following conditions are verified:
- The content to be encrypted MUST consist of a signature object
or a multipart object, where one part is a detached signature, as
shown in S/MIME specification, chapter 3.4.
- A SecureHeaderFields structure MUST be included in the
signedAttrs field of the SignerInfo object of the signature.
All the mechanisms described below MUST start at the beginning of the
encryption process, as explained in CMS. They are performed by the
sender's DCA. The following steps MUST be performed for each field
included in the SecureHeaderFields structure:
1. Extraction of the field status;
Cailleux & Bonatti [Page 11]
Internet-Draft Securing Header Fields with S/MIME October 2011
1.1 If the status is Duplicated, the field is left at its existing
value.
1.2 If the status is Deleted, the header field (name and value) is
removed from the message. Mandatory header fields specified in
[RFC5322] MUST be kept.
1.3 If the status is Modified, the header value is replaced by a
new value, as configured in the DCA.
4.6.2. Decryption Process
All the computations presented in this chapter MUST be performed only
if the following conditions are verified:
- The decrypted content MUST consist of a signature object or a
multipart object, where one part is a detached signature, as shown in
S/MIME specification, chapter 3.4.
- A SecureHeaderFileds structure MUST be included in the
SignerInfo object of the signature.
All the mechanisms described below MUST start at the end of the
decryption process, as explained in CMS. They are executed by the
receiver's DCA. The following steps MUST be performed for each field
included in the SecureHeaderFields structure:
1. If the status is Duplicated, the field is left at its existing
value.
2. If the status is Deleted, the DCA MUST write a header field
(name and value) in the message. This header MUST be compliant with
the information embedded in the signature.
3. If the status is Modified, the DCA MUST rewrite a header field
in the message. This header MUST be compliant with the
SecureHeaderFields structure.
Cailleux & Bonatti [Page 12]
Internet-Draft Securing Header Fields with S/MIME October 2011
5. Case of triple wrapping
Secure Headers mechanisms MAY be used with triple wrapping, as
described in ESS [RFC2634]. In this case, a SecureHeaderFields
structure MAY be present in the inner signature, in the outer
signature, or both. In the last case, the two structure
SecureHeaderFields MAY differ. One MAY consider the encapsulation of
a header field in the inner signature in order to satisfy
confidentiality needs. On the contrary, an outer signature
encapsulation MAY help for delivery purpose. Header fields
processing, given the signature type (inner or outer), is out of the
scope of this document.
6. Security Considerations
This specification describes an extension of the S/MIME standard. It
provides message headers integrity, non-repudiation and
confidentiality. The signature and encryption processes are
complementary. However, according to the security policy, only the
signature mechanism MAY be prescribed. In this case, the signature
process is implemented between MUAs. The encryption process requires
signed messages with Secure Headers extension. If required, the
encryption process is implemented by DCAs.
This specification doesn't address end-to-end confidentiality for
message header fields. Sent and received messages by MUAs MAY appear
in plaintext. In order to avoid interception, the use of TLS is
recommended between MUAs and DCAs (uplink and downlink). Another
solution might be the use of S/MIME between MUAs and DCAs in the same
domain.
7. References
7.1. Normative References
[RFC2045] Borenstein, N., "Multipurpose Internet Mail Extensions Part
One", RFC 2045, November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to indicate
requirement levels", RFC 2119, March 1997.
Cailleux & Bonatti [Page 13]
Internet-Draft Securing Header Fields with S/MIME October 2011
[RFC2634] Hoffman, P., "Enhanced Security Services for S/MIME", RFC
2634, June 1999.
[RFC4853] Housley, R., "Cryptographic Message Syntax (CMS), Multiple
Signer Clarification", RFC 4853, April 2007.
[RFC4871] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J.
and Thomas, M., "DomainKeys Identified Mail (DKIM)
Signatures", RFC 4871, May 2007.
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
2008.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
5652, September 2009.
[X.680] ITU-T. Recommendation X.680 : Abstract Syntax Notation One
(ASN.1): Specification of basic notation, November 2008.
7.2. Informative References
[RFC2595] Newman, C., "Using TLS with IMAP, POP3 and ACAP", RFC 2595,
June 1999.
[RFC3183] Dean, T., Ottaway, W., "Domain security services using
S/MIME", RFC 3183, October 2001.
[RFC3207] Hoffman, P., "SMTP Service Extension for secure SMTP over
Transport Layer Security", RFC 3207, February 2002.
[RFC3501] Crispin, M., "Internet Message Access Protocol, version
4rev1", RFC 3501, March 2003.
[RFC3850] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Certificate Handling", RFC 3850, July
2004.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, July
2009.
[RFC5751] Ramsdell, B., Turner, S., "Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2, Message
Specification", RFC 5751, January 2010.
Cailleux & Bonatti [Page 14]
Internet-Draft Securing Header Fields with S/MIME October 2011
Appendix A. Formal syntax of Secure Header
ASN.1 notation [X.680] of secure header structure is the follow:
SecureHeaderFields ::= SET {
canonAlgorithm Algorithm,
secHeaderFields HeaderFields}
id-aa-secureHeaderFieldsIdentifier OBJECT IDENTIFIER ::= {iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-
aa(2) secure-headers (to be defined)}
Algorithm ::= ENUMERATED {
canonAlgorithmSimple(0),
canonAlgorithmRelaxed(1)}
HeaderFields ::= SET SIZE (1..max-header-fields) OF HeaderField
max-header-fields INTEGER ::= MAX
HeaderField ::= SEQUENCE {
field-Name HeaderFieldName,
field-Value HeaderFieldValue,
field-Status HeaderFieldStatus OPTIONAL
}
HeaderFieldName ::= IA5String
HeaderFieldValue ::= IA5String
HeaderFieldStatus ::= INTEGER
{
duplicated(0), deleted(1), modified(2)
}
Cailleux & Bonatti [Page 15]
Internet-Draft Securing Header Fields with S/MIME October 2011
Appendix B. Secure Header Fields example
In the following example, header fields subject, from, to and x-ximf-
primary-precedence are secured and integrated in a SecureHeaders
structure.
Extract of message header fields
From: John Doe <jdoe@example.com>
To: Mary Smith <mary@example.com>
Subject: This is a test
X-ximf-primary-precedence: priority
SecureHeaders structure extracted from signature:
2286 163: SEQUENCE {
2289 11: OBJECT IDENTIFIER '1 2 840 113549 1 9 16 2 80'
2302 147: SET {
2305 144: SET {
2308 4: ENUMERATED 1
2314 135: SET {
2317 40: SEQUENCE {
2319 25: IA5String 'x-ximf-primary-precedence'
2346 8: IA5String 'priority'
2356 1: INTEGER 0
: }
2359 25: SEQUENCE {
2361 2: IA5String 'to'
2365 16: IA5String 'mary@example.com'
2383 1: INTEGER 0
: }
2386 34: SEQUENCE {
2388 4: IA5String 'from'
2394 23: IA5String 'jdoe <jdoe@example.com>'
2419 1: INTEGER 0
: }
2422 28: SEQUENCE {
2424 7: IA5String 'subject'
2433 14: IA5String 'This is a test'
2449 1: INTEGER 0
: }
: }
Cailleux & Bonatti [Page 16]
Internet-Draft Securing Header Fields with S/MIME October 2011
: }
: }
: }
Example is displayed as an output of Peter Gutmann's "dumpasn1"
program.
OID used in this example is non official.
Cailleux & Bonatti [Page 17]
Internet-Draft Securing Header Fields with S/MIME October 2011
Appendix C. Acknowledgements
The author would like to thank Damien Roque and Thibault Cassan
kindly provided reviews of the document and/or suggestions for
improvement. As always, all errors and omissions are the
responsibility of the authors.
Author's addresses
Laurent CAILLEUX
DGA Maitrise de l'information
BP 7
35998 Rennes Armees
France
Email: laurent.cailleux@dga.defense.gouv.fr
Chris Bonatti
IECA, Inc.
3057 Nutley Street, Suite 106
Fairfax, VA 22031
USA
Email: bonattic@ieca.com
Cailleux & Bonatti [Page 18]