[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <28E010DE-6997-11D8-8C32-000A95703418@improbable.org>
From: chris at improbable.org (Chris Adams)
Subject: Re: OpenPGP (GnuPG) vs. S/MIME
> I'd like to open a discussion about PGP vs. S/MIME .
>
> I've been pondering secure (or at least verifiable) mail lately and I
> see these two standards as the main options available at this point.
>
> It seems to me that PGP is the better of the two options because:
> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)
I believe that's an implementation detail - at least a quick web search
finds who have been using 2048-bit S/MIME keys without problems.
> - - it seems to be more widely used
> - - it is easier to use (debateable)
> - - its free
I think the answers to these questions depend largely on who you're
talking with. Corporate types are going to argue all three because
S/MIME is more widely used _in their part of the world_, the trust
model is usually closer their organizational structure (lost keys are
much harder to deal with; extremely large companies like subdomain
delegation) and it's supported out of the box by Microsoft and Netscape
clients without extra (often non-free) software.
That last item carries a surprising amount of weight - after years of
using PGP/GPG to sign mails I recently gave in, got a free S/MIME key
from Thawte and set it up in my mail clients (Apple Mail, mutt,
Mozilla). The setup process is easier in every mail client I've tried
except mutt (which required me to setup a few directories and config
entries - hardly significant) and there's a big reward: people simply
see your mail as verified rather than sending you confused tech support
requests. There's no need to exchange keys, deal with key servers (how
many clients won't automatically fetch the key I used with this
message?) or explain a web of trust to your non-geek friends. Multiply
this by the number of people without GPG experience at most companies
and it's easy to see why they prefer to pay Verisign and friends so
they can use the stock Outlook / Mozilla / etc.
I think the PGP corporate sales types can make a good effort on the
trust / key server issues (certainly key distribution is a lot easier
with wwwkeys.pgp.net and a well-known company carries more weight with
at the CIO/CTO level) - the big remaining issue is client support. It's
easy to forget how few people are using decent email clients (or can
choose one they like) - most don't even have decent spam filtering.
PGP/GPG support needs to be both well-integrated and painless to
install before they're going to have a chance of getting it; that
critical mass is important both for making commercial developers care
about it and removing the confusion disincentive for using it.
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2369 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040227/3f244fcf/smime-0001.bin
Powered by blists - more mailing lists