lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040228053646.GA417@phobos.fs.tum.de>
From: Simon.Richter at hogyros.de (Simon Richter)
Subject: OpenPGP (GnuPG) vs. S/MIME

Hi,

> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)

It's not size that matters, but technique.

Seriously, both protocols support the same encryption methods and key
lengths.

> - - it seems to be more widely used

Depending on the community you're looking at.

> - - it is easier to use (debateable)

Ease of use is a question of the MUA used.

> - - its free

There are also free implementations of S/MIME available.

> - - PGP in general is more flexible

No.

Basically, the distinguishing mark between both protocols is the trust
model implied by it (which is not intrinsic to the protocol, but made by
marketing). PGP is the "geek" protocol, anyone can simply generate a
key, have it signed by a few people they know and be set. S/MIME is the
"corporate" protocol, with a centralized trust structure. It would be no
problem to introduce centralized trust into an OpenPGP WOT (in fact, it
is being done, e.g. by German computer magazine c't, who offer an
OperPGP signing service and have their fingerprint in every issue), and
it would be no problem to introduce a WOT into S/MIME.

However, there is no incentive to do any of these. Corporations like
VeriSign and Deutsche Telekom are making actual money selling
certification in a centralized trust model. The rest should be obvious.

Technically, the X.509 protocols can do more than OpenPGP. They have,
for example, additional attributes on a certificate that specify the
fields of use for that key (email, code signing, web services, ...) and
whether that key could sign certificates. OpenPGP simply authenticates
an entity and makes no assumption or statement about the purpose of the
key.

So, it's once again a conspiracy backed by evil large corporations that
want us all to use S/MIME. :-)

   Simon

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040228/53fadc0e/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ