Re: OpenPGP (GnuPG) vs. S/MIME

["Kurt Seifried" <listuser () seifried org>]

Folks. This topic has already been beaten to death. Simple fact is:

PGP is hard for most people to use, and required third party software
install. So it doesn't matter much if it's technically superior or not, it
hasn't taken off yet and I don't think it ever will. The web of trust simply
does not work in the real world for email between people who do not already
have ties to each other.

X.509 is also hard to use, and while more limited it is supported by default
in most major mail applications. It does the job reasonably well.

Both protocols have the same general problem, they make it VERY easy for the
user to make mistakes or misinterpret what is going on.

I went on a PGP signing binge a few years ago, no-one seemed to care, so I
started tweaking my messages to make the signatures fail, no-one complained.
I eventually gave up.

I remember one case where SuSE sent out an advisory that wasn't signed
properly, this mangled advisory was then propogated bu several security
organizations including the German CERT.

http://www.seifried.org/security/cryptography/crypto-book/chapter-08.html

http://www.seifried.org/security/cryptography/20011108-breaking-trust-in-certs.html

This thread is dead. It was dead when it was started. It was dead 3 years
ago.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html