On Feb 01, Volker Moell [[EMAIL PROTECTED]] wrote: > Mike Schiraldi wrote: > > > [...] > > Just a question: Is it really necessary to attach at each message the > smime.p7s file (your signature or so)? It has always about the 10th size > of your underlying posting, so it increases the size of your posting way > much. > > What is it for at all? Why is this (I think) signature so large?
Mike and I were discussing this in private mail earlier this week... I'm sure he'll have his own things to add, but after talking with him this is my take on it: The sigs are that big because they all include his public key. S/MIME does not use keyservers like OpenPGP does. It also does not have a web of trust concept, instead relying on central CAs. They consider this an advantage, since it means you can always verify a message regardless of your current network connection status, etc... all that you need to verify the message is containted in the message itself and your local list of trusted CA certs. This means that people that don't understand how public key encryption works can still use it without really having to know anything at all. There are of course a few disadvantages to these methods... first, the bandwidth issue you raise (I believe it's worth it to sign all my mails, but I have to question if it's still worth it when the sig is 3k instead of 0.2k; or rather, question if that extra bulk is giving me anything I want over what the 0.2k gives me). There are also a plethora of issues regarding the use of a CA at all vs. manually verifying your keys/using a tighter web of trust, but those are well beyond the scope of this list, probably. I think this kind of opportunistic encryption has its place in at least affecting some useful social engineering, but I don't like how all or none it is currently. To me the ideal solution to the bandwidth issue would be a system that allowed you to send the whole key with the sig to certain people, and let people request it from key servers in other cases (mailing lists). Unfortunately nothing around really does this in the ideal way (you can do it with OpenPGP implementations, but OpenPGP still has a lot of usability issues that won't make it quite reach the opportunistic encryption bar).
msg24081/pgp00000.pgp
Description: PGP signature