This important document has been developed over the past nine months by a working group consisting of both BSI employees and representatives from assorted email providers including your very own Open-Xchange.
We worked with the government to outline the specifications behind the guidelines, and shape the necessary security requirements for service providers in Germany. The document mandates email providers to implement a number of security measures including:
the need to be ISO/27001 certified, or to have an IT security concept under the Telecommunications Actmandatory use of DNSSECprotection of the SSL certificate by DANEthe obligation to actively report security incidentsthe requirement to inform users if emails have been sent or received from certified participants
The working group debated long and hard on whether DANE/DNSSEC could be required as standard and this was only accepted in the group’s last meeting, a month before the final guidelines were published. Even though the document doesn’t mandate the need for end-to-end encryption, (something we lobbied hard for!) it is a major step in the right direction for the security of German email nonetheless.
This overview shows the components that participate inthe infrastructure and their communication relationships to each other.
One thing to note is that, as of today, the process for acquiring the certification of Email Service Provider is not yet defined. However, the government should be careful as it outlines this process as if this proves to be prohibitively costly or time intensive, many providers may simply choose not to certify their email service as secure. As well as putting smaller providers at a disadvantage, such a process could negatively affect consumers, limiting their choice or providers, and ultimately damaging the secure email market.
We at Open-Xchange have been pushing for a unified, certifiable approach to secure email transmission for over a year. The BSI guidelines now reflect our own standards and requirements and stand as vindication for our efforts.