> I'd like to open a discussion about PGP vs. S/MIME . I have been waiting for one of these... =)
> I've been pondering secure (or at least verifiable) mail lately and I > see these two standards as the main options available at this point. > > It seems to me that PGP is the better of the two options because: > - - cryptographically, it appears more secure (i.e. larger public key > sizes possible) > - - it seems to be more widely used > - - it is easier to use (debateable) > - - its free > - - PGP in general is more flexible I would have to agree, for the most part. > I've read a bit of information comparing the two, but it is all pretty > old (mostly pre-2000). So, I may be operating under some false assumptions. I did some reading a while back as well. Comparing PGP/MIME with S/MIME. I rather like PGP/MIME over normal PGP formats. It just makes sense from a mail parsing perspective. It seemed to me when I did my share of reading, that S/MIME was just a re-standardization of PGP/MIME with the current HTTPS/SSL/TLS certificate hierarchy added in. I have found that most major mail clients will support PGP/GPG traditional formats (with plugins), but many (outlook, outlook express, opera) do not support hooks for PGP/MIME, which sucks, since PGP key management seems to be much more powerful and versatile. It struck me that the big push for S/MIME was just another way for monopoly #2 (VeriSign) to make more money. They are already making bank on secure websites, why not provide "trust" for mail as well? > Also, since PGP seems to be in wider use, why do fewer MUA's support it > out of the box? To add PGP support to many of the more common MUA's in > use, a 3rd party application needs to be used. While S/MIME support > seems to be included into a lot of common MUA's. Is this because of > licensing issues with commercial PGP? Or is including S/MIME support > just easier, so developers include it out of convenience. Personally, I would prefer the PGP to be in a seperate app that plugs into mail clients in a semi-standard way. I don't know much about what mail clients are supporting S/MIME, so I can't really comment on why it is being implemented. Maybe just because it is the hot new standard of the week? Hell, if you have hooks in your clients for S/MIME, PGP/MIME ought to be a snap... enough babbling. cheers, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
