lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tim-security at sentinelchicken.org (Tim)
Subject: OpenPGP (GnuPG) vs. S/MIME

> I'd like to open a discussion about PGP vs. S/MIME .

I have been waiting for one of these... =)

> I've been pondering secure (or at least verifiable) mail lately and I
> see these two standards as the main options available at this point.
> 
> It seems to me that PGP is the better of the two options because:
> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)
> - - it seems to be more widely used
> - - it is easier to use (debateable)
> - - its free
> - - PGP in general is more flexible

I would have to agree, for the most part.

> I've read a bit of information comparing the two, but it is all pretty
> old (mostly pre-2000).  So, I may be operating under some false assumptions.

I did some reading a while back as well.  Comparing PGP/MIME with
S/MIME.  I rather like PGP/MIME over normal PGP formats.  It just makes
sense from a mail parsing perspective.  It seemed to me when I did my
share of reading, that S/MIME was just a re-standardization of PGP/MIME
with the current HTTPS/SSL/TLS certificate hierarchy added in.  

I have found that most major mail clients will support PGP/GPG
traditional formats (with plugins), but many (outlook, outlook express,
opera) do not support hooks for PGP/MIME, which sucks, since PGP key
management seems to be much more powerful and versatile.

It struck me that the big push for S/MIME was just another way for
monopoly #2 (VeriSign) to make more money.  They are already making bank
on secure websites, why not provide "trust" for mail as well?  

> Also, since PGP seems to be in wider use, why do fewer MUA's support it
> out of the box?  To add PGP support to many of the more common MUA's in
> use, a 3rd party application needs to be used.  While S/MIME support
> seems to be included into a lot of common MUA's.  Is this because of
> licensing issues with commercial PGP?  Or is including S/MIME support
> just easier, so developers include it out of convenience.

Personally, I would prefer the PGP to be in a seperate app that plugs
into mail clients in a semi-standard way.  

I don't know much about what mail clients are supporting S/MIME, so I
can't really comment on why it is being implemented.  Maybe just because
it is the hot new standard of the week?  Hell, if you have hooks in your
clients for S/MIME, PGP/MIME ought to be a snap...

enough babbling.  cheers,
tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ