[Full-Disclosure] Re: OpenPGP (GnuPG) vs. S/MIME

Chris Adams chris at improbable.org
Sat Feb 28 02:38:15 GMT 2004 

> I'd like to open a discussion about PGP vs. S/MIME .
>
> I've been pondering secure (or at least verifiable) mail lately and I
> see these two standards as the main options available at this point.
>
> It seems to me that PGP is the better of the two options because:
> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)

I believe that's an implementation detail - at least a quick web search 
finds who have been using 2048-bit S/MIME keys without problems.

> - - it seems to be more widely used
> - - it is easier to use (debateable)
> - - its free

I think the answers to these questions depend largely on who you're 
talking with. Corporate types are going to argue all three because 
S/MIME is more widely used _in their part of the world_, the trust 
model is usually closer their organizational structure (lost keys are 
much harder to deal with; extremely large companies like subdomain 
delegation) and it's supported out of the box by Microsoft and Netscape 
clients without extra (often non-free) software.

That last item carries a surprising amount of weight - after years of 
using PGP/GPG to sign mails I recently gave in, got a free S/MIME key 
from Thawte and set it up in my mail clients (Apple Mail, mutt, 
Mozilla). The setup process is easier in every mail client I've tried 
except mutt (which required me to setup a few directories and config 
entries - hardly significant) and there's a big reward: people simply 
see your mail as verified rather than sending you confused tech support 
requests. There's no need to exchange keys, deal with key servers (how 
many clients won't automatically fetch the key I used with this 
message?) or explain a web of trust to your non-geek friends. Multiply 
this by the number of people without GPG experience at most companies 
and it's easy to see why they prefer to pay Verisign and friends so 
they can use the stock Outlook / Mozilla / etc.

I think the PGP corporate sales types can make a good effort on the 
trust / key server issues (certainly key distribution is a lot easier 
with wwwkeys.pgp.net and a well-known company carries more weight with 
at the CIO/CTO level) - the big remaining issue is client support. It's 
easy to forget how few people are using decent email clients (or can 
choose one they like) - most don't even have decent spam filtering. 
PGP/GPG support needs to be both well-integrated and painless to 
install before they're going to have a chance of getting it; that 
critical mass is important both for making commercial developers care 
about it and removing the confusion disincentive for using it.

Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2369 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040227/3f244fcf/attachment-0001.bin

Full-Disclosure is hosted and sponsored by Secunia.