[Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME
Simon.Richter at hogyros.de
Sat Feb 28 05:36:46 GMT 2004
> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)
It's not size that matters, but technique.
Seriously, both protocols support the same encryption methods and key
> - - it seems to be more widely used
Depending on the community you're looking at.
> - - it is easier to use (debateable)
Ease of use is a question of the MUA used.
> - - its free
There are also free implementations of S/MIME available.
> - - PGP in general is more flexible
Basically, the distinguishing mark between both protocols is the trust
model implied by it (which is not intrinsic to the protocol, but made by
marketing). PGP is the "geek" protocol, anyone can simply generate a
key, have it signed by a few people they know and be set. S/MIME is the
"corporate" protocol, with a centralized trust structure. It would be no
problem to introduce centralized trust into an OpenPGP WOT (in fact, it
is being done, e.g. by German computer magazine c't, who offer an
OperPGP signing service and have their fingerprint in every issue), and
it would be no problem to introduce a WOT into S/MIME.
However, there is no incentive to do any of these. Corporations like
VeriSign and Deutsche Telekom are making actual money selling
certification in a centralized trust model. The rest should be obvious.
Technically, the X.509 protocols can do more than OpenPGP. They have,
for example, additional attributes on a certificate that specify the
fields of use for that key (email, code signing, web services, ...) and
whether that key could sign certificates. OpenPGP simply authenticates
an entity and makes no assumption or statement about the purpose of the
So, it's once again a conspiracy backed by evil large corporations that
want us all to use S/MIME. :-)
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040228/53fadc0e/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.