Full Disclosure mailing list archives

Re: OpenPGP (GnuPG) vs. S/MIME

From: Tim <tim-security () sentinelchicken org>
Date: Fri, 27 Feb 2004 17:08:58 -0800

I'd like to open a discussion about PGP vs. S/MIME .


I have been waiting for one of these... =)

I've been pondering secure (or at least verifiable) mail lately and I
see these two standards as the main options available at this point.

It seems to me that PGP is the better of the two options because:
- - cryptographically, it appears more secure (i.e. larger public key
sizes possible)
- - it seems to be more widely used
- - it is easier to use (debateable)
- - its free
- - PGP in general is more flexible


I would have to agree, for the most part.

I've read a bit of information comparing the two, but it is all pretty
old (mostly pre-2000).  So, I may be operating under some false assumptions.


I did some reading a while back as well.  Comparing PGP/MIME with
S/MIME.  I rather like PGP/MIME over normal PGP formats.  It just makes
sense from a mail parsing perspective.  It seemed to me when I did my
share of reading, that S/MIME was just a re-standardization of PGP/MIME
with the current HTTPS/SSL/TLS certificate hierarchy added in.  

I have found that most major mail clients will support PGP/GPG
traditional formats (with plugins), but many (outlook, outlook express,
opera) do not support hooks for PGP/MIME, which sucks, since PGP key
management seems to be much more powerful and versatile.

It struck me that the big push for S/MIME was just another way for
monopoly #2 (VeriSign) to make more money.  They are already making bank
on secure websites, why not provide "trust" for mail as well?

Also, since PGP seems to be in wider use, why do fewer MUA's support it
out of the box?  To add PGP support to many of the more common MUA's in
use, a 3rd party application needs to be used.  While S/MIME support
seems to be included into a lot of common MUA's.  Is this because of
licensing issues with commercial PGP?  Or is including S/MIME support
just easier, so developers include it out of convenience.


Personally, I would prefer the PGP to be in a seperate app that plugs
into mail clients in a semi-standard way.  

I don't know much about what mail clients are supporting S/MIME, so I
can't really comment on why it is being implemented.  Maybe just because
it is the hot new standard of the week?  Hell, if you have hooks in your
clients for S/MIME, PGP/MIME ought to be a snap...

enough babbling.  cheers,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

OpenPGP (GnuPG) vs. S/MIME Ben Nelson (Feb 27)
- Re: OpenPGP (GnuPG) vs. S/MIME Tim (Feb 27)
  - Re: OpenPGP (GnuPG) vs. S/MIME Kurt Seifried (Feb 27)
    - A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Harry Hoffman (Feb 27)
    - Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Troy Solo (Feb 27)
    - Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) gadgeteer (Feb 27)
    - Re: Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Roy M. Silvernail (Feb 28)
    - Re: Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) gadgeteer (Feb 28)
    - Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Byron Copeland (Feb 27)
    - Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Harry Hoffman (Feb 28)
- Re: OpenPGP (GnuPG) vs. S/MIME Simon Richter (Feb 27)
  - Re: OpenPGP (GnuPG) vs. S/MIME petard (Feb 28)

(Thread continues...)