Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME
From: Tim (tim-securitysentinelchicken.org)
Date: Fri Feb 27 2004 - 19:08:58 CST
> I'd like to open a discussion about PGP vs. S/MIME .
I have been waiting for one of these... =)
> I've been pondering secure (or at least verifiable) mail lately and I
> see these two standards as the main options available at this point.
> It seems to me that PGP is the better of the two options because:
> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)
> - - it seems to be more widely used
> - - it is easier to use (debateable)
> - - its free
> - - PGP in general is more flexible
I would have to agree, for the most part.
> I've read a bit of information comparing the two, but it is all pretty
> old (mostly pre-2000). So, I may be operating under some false assumptions.
I did some reading a while back as well. Comparing PGP/MIME with
S/MIME. I rather like PGP/MIME over normal PGP formats. It just makes
sense from a mail parsing perspective. It seemed to me when I did my
share of reading, that S/MIME was just a re-standardization of PGP/MIME
with the current HTTPS/SSL/TLS certificate hierarchy added in.
I have found that most major mail clients will support PGP/GPG
traditional formats (with plugins), but many (outlook, outlook express,
opera) do not support hooks for PGP/MIME, which sucks, since PGP key
management seems to be much more powerful and versatile.
It struck me that the big push for S/MIME was just another way for
monopoly #2 (VeriSign) to make more money. They are already making bank
on secure websites, why not provide "trust" for mail as well?
> Also, since PGP seems to be in wider use, why do fewer MUA's support it
> out of the box? To add PGP support to many of the more common MUA's in
> use, a 3rd party application needs to be used. While S/MIME support
> seems to be included into a lot of common MUA's. Is this because of
> licensing issues with commercial PGP? Or is including S/MIME support
> just easier, so developers include it out of convenience.
Personally, I would prefer the PGP to be in a seperate app that plugs
into mail clients in a semi-standard way.
I don't know much about what mail clients are supporting S/MIME, so I
can't really comment on why it is being implemented. Maybe just because
it is the hot new standard of the week? Hell, if you have hooks in your
clients for S/MIME, PGP/MIME ought to be a snap...
enough babbling. cheers,
Full-Disclosure - We believe in it.