Full Disclosure mailing list archives
Re: OpenPGP (GnuPG) vs. S/MIME
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 27 Feb 2004 17:08:58 -0800
I'd like to open a discussion about PGP vs. S/MIME .
I have been waiting for one of these... =)
I've been pondering secure (or at least verifiable) mail lately and I see these two standards as the main options available at this point. It seems to me that PGP is the better of the two options because: - - cryptographically, it appears more secure (i.e. larger public key sizes possible) - - it seems to be more widely used - - it is easier to use (debateable) - - its free - - PGP in general is more flexible
I would have to agree, for the most part.
I've read a bit of information comparing the two, but it is all pretty old (mostly pre-2000). So, I may be operating under some false assumptions.
I did some reading a while back as well. Comparing PGP/MIME with S/MIME. I rather like PGP/MIME over normal PGP formats. It just makes sense from a mail parsing perspective. It seemed to me when I did my share of reading, that S/MIME was just a re-standardization of PGP/MIME with the current HTTPS/SSL/TLS certificate hierarchy added in. I have found that most major mail clients will support PGP/GPG traditional formats (with plugins), but many (outlook, outlook express, opera) do not support hooks for PGP/MIME, which sucks, since PGP key management seems to be much more powerful and versatile. It struck me that the big push for S/MIME was just another way for monopoly #2 (VeriSign) to make more money. They are already making bank on secure websites, why not provide "trust" for mail as well?
Also, since PGP seems to be in wider use, why do fewer MUA's support it out of the box? To add PGP support to many of the more common MUA's in use, a 3rd party application needs to be used. While S/MIME support seems to be included into a lot of common MUA's. Is this because of licensing issues with commercial PGP? Or is including S/MIME support just easier, so developers include it out of convenience.
Personally, I would prefer the PGP to be in a seperate app that plugs into mail clients in a semi-standard way. I don't know much about what mail clients are supporting S/MIME, so I can't really comment on why it is being implemented. Maybe just because it is the hot new standard of the week? Hell, if you have hooks in your clients for S/MIME, PGP/MIME ought to be a snap... enough babbling. cheers, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- OpenPGP (GnuPG) vs. S/MIME Ben Nelson (Feb 27)
- Re: OpenPGP (GnuPG) vs. S/MIME Tim (Feb 27)
- Re: OpenPGP (GnuPG) vs. S/MIME Kurt Seifried (Feb 27)
- A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Harry Hoffman (Feb 27)
- Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Troy Solo (Feb 27)
- Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) gadgeteer (Feb 27)
- Re: Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Roy M. Silvernail (Feb 28)
- Re: Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) gadgeteer (Feb 28)
- Re: OpenPGP (GnuPG) vs. S/MIME Kurt Seifried (Feb 27)
- Re: OpenPGP (GnuPG) vs. S/MIME Tim (Feb 27)
- Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Byron Copeland (Feb 27)
- Re: A new look at PGP (WAS: Re: OpenPGP (GnuPG) vs. S/MIME) Harry Hoffman (Feb 28)
- Re: OpenPGP (GnuPG) vs. S/MIME petard (Feb 28)