lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: chris at improbable.org (Chris Adams)
Subject: Re: OpenPGP (GnuPG) vs. S/MIME

> I'd like to open a discussion about PGP vs. S/MIME .
>
> I've been pondering secure (or at least verifiable) mail lately and I
> see these two standards as the main options available at this point.
>
> It seems to me that PGP is the better of the two options because:
> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)

I believe that's an implementation detail - at least a quick web search 
finds who have been using 2048-bit S/MIME keys without problems.

> - - it seems to be more widely used
> - - it is easier to use (debateable)
> - - its free

I think the answers to these questions depend largely on who you're 
talking with. Corporate types are going to argue all three because 
S/MIME is more widely used _in their part of the world_, the trust 
model is usually closer their organizational structure (lost keys are 
much harder to deal with; extremely large companies like subdomain 
delegation) and it's supported out of the box by Microsoft and Netscape 
clients without extra (often non-free) software.

That last item carries a surprising amount of weight - after years of 
using PGP/GPG to sign mails I recently gave in, got a free S/MIME key 
from Thawte and set it up in my mail clients (Apple Mail, mutt, 
Mozilla). The setup process is easier in every mail client I've tried 
except mutt (which required me to setup a few directories and config 
entries - hardly significant) and there's a big reward: people simply 
see your mail as verified rather than sending you confused tech support 
requests. There's no need to exchange keys, deal with key servers (how 
many clients won't automatically fetch the key I used with this 
message?) or explain a web of trust to your non-geek friends. Multiply 
this by the number of people without GPG experience at most companies 
and it's easy to see why they prefer to pay Verisign and friends so 
they can use the stock Outlook / Mozilla / etc.

I think the PGP corporate sales types can make a good effort on the 
trust / key server issues (certainly key distribution is a lot easier 
with wwwkeys.pgp.net and a well-known company carries more weight with 
at the CIO/CTO level) - the big remaining issue is client support. It's 
easy to forget how few people are using decent email clients (or can 
choose one they like) - most don't even have decent spam filtering. 
PGP/GPG support needs to be both well-integrated and painless to 
install before they're going to have a chance of getting it; that 
critical mass is important both for making commercial developers care 
about it and removing the confusion disincentive for using it.

Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2369 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040227/3f244fcf/smime-0001.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ