On Jun 11, 2011, at 9:14 AM, Edward Ned Harvey wrote: > > But you can certainly establish all the same external context using S/MIME > or PGP alike. The only difference is whether or not you HAVE TO establish > external context.
You have it backwards. PGP/GPG do not require the use of the external verification channel. They can be used just fine with blind trust that the sender or signer is who he claims to be. The difference is that with S/MIME I am required to trust that the CA has not been compromised, but with PGP/GPG I have an independent verification mechanism. Let me give you two real world examples. The first is trusting PGP/GPG blindly. Install Debian over the network. There. You've just blindly trusted that the signatures on all of the packages were made by the valid Debian keys. No web of trust or external verification required. No different from using S/MIME signatures. The second: Several jobs back I had to communicate with a little company working on a sensitive project. Their preference was to use PGP for encryption. We -- the person I was dealing with specifically and myself -- exchanged keys. We then called each other in turn and verified the fingerprints of our respective keys. This verification was not required to use PGP, but the option is there and the company insisted on using it. That verification would not be possible with S/MIME. There is no validation mechanism besides the CAs with S/MIME. We would both need to trust that our CAs had not been compromised. This company was unwilling to make that assumption. The company? Rohr Industries (now owned by Goodrich). At the time, circa 1997, it was a Lockheed contractor on the X-33 programme. Rohr had justifiable concerns over both foreign and domestic espionage and they chose PGP instead of S/MIME for communications with other contractors. S/MIME is not the same as PGP/GPG. It is not a religious argument. It is a clear, technical distinction. --Rich P. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
