This is the response I finally received. It took them a lot longer than the 20 days to come up with it. And I forgot to post it here. Sorry. ------------------------------------------------- Mr von Kaehne, Following an exchange of emails with Will Moss, our NHSmail programme head, on a number of technical issues concerning access to NHSmail by non-Microsoft users, you have expressed dissatisfaction with the answers Mr Moss provided. In an email of 16 January you asked that what you have interpreted as a decision by NHS Connecting for Health to withhold information be reconsidered. On Mr Moss' behalf, I am now replying to that request, for reasons that I trust will be clear from the details of my signature block below. The FOI Act obliges public authorities to respond to requests for information promptly, and in any case no later than 20 working days after receiving your request. I very much regret, and aplogise for, the fact that we have failed to meet that deadline on this occasion. Let me assure you that the reasons for this are in no way due to lack of urgency in attening to the matter on Mr Moss' part. I set out below your original questions, and am now able to provide additional information/explanations. 1: Are you going to provide IMAP/POP3/SMTP/LDAP access to users outside of the N3 network? If not, why not? Yes. IMAP and POP access is available to NHSmail users over the internet via the Whale / IAG (VPN) client (available for download at https://client.nhs.net) 2: If you provide such access, is such access inextricably tied to using Internet Explorer on Microsoft Windows connecting via Whale Communications' applet to a SSL based VPN? No. NHSmail can be accessed via browsers other than Microsoft Internet Explorer. The Whale / IAG VPN is currently being tested against non-Windows based platforms 3: Or will there be the possibility to connect from non Microsoft Computers to this SSL based VPN - even if no explicit support is provided beyond the bare settings? If not, why not? The Whale / IAG VPN is currently being tested against non-Windows based platforms. If this testing shows that non-Windows platforms are able to use the Whale / IAG VPN securely within the security design of the NHSmail service users will be informed but any such use will not be supported 4: Are you aware that eGIF mandates standards based provision of services like email, i.e. IMAP, POP3 and SMTP? In your response of 16th January 2009 you pointed out that section 4 of eGIF (version 6.2) states ‘e-mail products that provide advanced mail access facilities shall conform to IMAP for remote mailbox access. For completeness the full relevant reference is reproduced below: (Document available at: http://www.govtalk.gov.uk/documents/TSCv6.2_2005_7_14_final.rtf ) However, a key point to note is that section 2.3 of the interconnection section of e-Government Interoperability Framework states: “Within government, the norm will be to use the intrinsic security provided by the Government Secure Intranet (GSI) to ensure email confidentiality. Unless security requirements dictate otherwise, outside the GSI and other secure government networks one of the following shall be used: S/MIME or secure mail transport and secure mail access standards protected using at least 128 bit TLS/SSL connections.” (Document available at: http://www.govtalk.gov.uk/documents/eGIF%20v6_1.rtf ) As you know the NHS does not use the GSI to connect NHS Organisations but has its own private intranet by way of N3. As stated in Mr Moss’ previous response POP, IMAP and SMTP access is fully available over the N3 network with transport layer security. The intrinsic security provided by N3 with transport security enables IMAP, POP and SMTP to be provided over N3 and to meet the security requirements of the service. Over the Internet the security requirements for POP, IMAP and SMTP access cannot be satisfied without the use of the additional security products supplied. The security requirements of the service are met via the following access methods with no need for any additional security products: - Browser based access with Internet Explorer, Mozilla Firefox and Safari - Outlook anywhere with Microsoft Outlook 2003 and 2007 - Entourage for Exchange Web Services (unsupported) In your 16 January email you have asked : Please provide me with all information relevant to the decision to explicitly deny access to non Microsoft users to the email services beyond the Web mail access, given that the eGIF document states that IMAP should be provided. It should be clear from the above explanations that no such decision has been taken. You further asked : Please provide any and all technical information which would allow non Microsoft users to gain legitimate access to NHSnet via IMAP, POP3, SMTP and LDAP from outside of N3, even if you have decided to not provide explicit technical support to such a solution. Relevant information is contained at pages 80 ff in the document, NHSmail : Email Configuration Guide version 1.4, viewable at : http://nww.connectingforhealth.nhs.uk/nhsmail/technology/Email.pdf In my view all the questions you have raised to date in your emails to Mr Moss have now been answered in full. If you are unhappy with the way we have handled your request, you may ask for an internal review. If you wish to complain, you should contact Section head The FOI Unit Room 334B Skipton House 80 London Road LONDON SE1 6LH Email: [log in to unmask] If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF If you have any queries about this letter, please contact me. Yours sincerely Keith Paley *********************************************************************** This message may contain confidential and privileged information. If you are not the intended recipient you should not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents. To do so is strictly prohibited and may be unlawful. Please inform the sender that this message has gone astray before deleting it. Thank you. 2008 marks the 60th anniversary of the NHS. It's an opportunity to pay tribute to the NHS staff and volunteers who help shape the service, and celebrate their achievements. If you work for the NHS and would like an NHSmail email account, go to: www.connectingforhealth.nhs.uk/nhsmail ***********************************************************************