It's also clear to me that for E-mail, you don't want transport level security for the system; you want "object" security, that is, digital signature and encryption of the mail message.
Yup. This is a frequently missed point. Link security and object security have different uses at different times -- and people confuse them way too often.
With the question of "Do you want object security or link security for email?" The answer is (as with all security questions) "What is your threat model?" For example: Your company does not have mailreaders capable of doing encryption (at least not easy enough for average users). Your supplier has the same situation. You have accepted this fact for the time being, and trust that your employees won't tinker with the email if they want their job for long. However, the email you send to your supplier and vice-versa should not go over the Internet unencrypted as it potentially contains sensitive information. So, a link-level encryption that the two co-operating sys-admins can set up would be a good solution. This would be easier to set up and maintain than a encrypted router tunnel through the net, and solve your problem. Of course, I'll submit that object security on email would be preferable, but that might not be pratical right now. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke@aud.alcatel.com Richardson, TX