STARTTLS and DANE mandated by National Consultation

STARTTLS and DANE mandated by National Consultation

10-10-2016 10:25:26

The National Consultation Digital Government is requiring governments to implement the email security standards STARTTLS and DANE with investments in email systems. On September 19, 2016 it was decided to add both open standards to the list of required standards according to the ‘comply-or-explain’ regime.

A solid encryption of email traffic

To guarantee the integrity and confidentiality of email traffic, the use of STARTTLS and DANE is needed. STARTTLS combined with DANE counteracts the interception or manipulation of email traffic. STARTTLS offers the possibility to secure transport connections between email servers based on certificates with TLS. In combination with email security standard DANE, email servers can also enforce the use of TLS. Together they ensure a solid encryption of email traffic. This secures the email traffic for certain types of attacks that aim to intercept or manipulate.

How does it work?

When an email is sent, the senders’ mail server sends it to the recipients’ mail server. The connection between these servers can be secured with TLS. The protocol that is used to do this is called STARTTLS. This STARTTLS-protocol makes sure that an unencrypted connection is converted to an encrypted TLS-connection. Both mail servers need to support STARTTLS to allow this.’

DANE is a technique that builds on DNSSEC and allows secure publishing of public keys and certificates. DANE can be used to connect key information (for example a hash code) to an address/protocol or port-combination. That way the authenticity of the certificate can be verified for every encrypted internet service through DNS. If the hash code of the certificate or the certificate authority is not the same as the hash code in the TLSA record, the client knows that the connection cannot be trusted.

Open standards on the ‘comply-or-explain’ list

The security standards on the ‘comply-or-explain’ list help secure information. The addition to the ‘comply-or-explain’ list means that public organisations, including healthcare and government institutions have to implement the standards when purchasing new ICT systems and services. An overview of all open standards can be found on the website of the Standardisation Forum. On domain names can be checked for the support of open standards.