| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: listuser at seifried.org (Kurt Seifried) Subject: OpenPGP (GnuPG) vs. S/MIME Folks. This topic has already been beaten to death. Simple fact is: PGP is hard for most people to use, and required third party software install. So it doesn't matter much if it's technically superior or not, it hasn't taken off yet and I don't think it ever will. The web of trust simply does not work in the real world for email between people who do not already have ties to each other. X.509 is also hard to use, and while more limited it is supported by default in most major mail applications. It does the job reasonably well. Both protocols have the same general problem, they make it VERY easy for the user to make mistakes or misinterpret what is going on. I went on a PGP signing binge a few years ago, no-one seemed to care, so I started tweaking my messages to make the signatures fail, no-one complained. I eventually gave up. I remember one case where SuSE sent out an advisory that wasn't signed properly, this mangled advisory was then propogated bu several security organizations including the German CERT. http://www.seifried.org/security/cryptography/crypto-book/chapter-08.html http://www.seifried.org/security/cryptography/20011108-breaking-trust-in-certs.html This thread is dead. It was dead when it was started. It was dead 3 years ago. Kurt Seifried, kurt@...fried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Powered by blists - more mailing lists