On 8/20/07, Steven Alligood <[EMAIL PROTECTED]> wrote: > S/MIME was specifically designed for email, using asymmetric encryption > and Certificate Authorities (verisign, thawte, etc), attempting to use > very similar technology to SSL and TLS, whereas PGP sprung up from the > open source community to encrypt stuff, and was later added into email > as a nifty way to handle email encryption. > > Choose whichever (or both) suite your needs. I prefer the method that > all the major email clients already understand, due to who I email in > the course of business. Your mileage may vary.
Another way of looking at the difference is that they do the same thing but S/MIME is part of the whole SSL public key infrastructure (PKI), which means that the same people who affirm that the website you're connecting to is to some degree legit affirm that my email is really from me. They both have advantages, of course. One major difference that may determine what you or your company uses (or at least I'm told that the LDS church chose PGP because of this) is the amount of data it adds to your email. S/MIME sends more data with email because there are no directories to look them up on. This can be good because you'll generally have the CA certificates already installed in your email client and that's all you need to verify authenticity (to the degree that it /can/ be authenticated anyway). Yet another difference is the model used to establish trust. PGP establishes trust by spidering it's way through the people you trust to find a path to the person you need to authenticate. Quite often, unless you're well connected, you don't have a path from you to that person and you really have no way at all to verify that they are who they say they are. S/MIME has a center to it's web so that you don't have to know someone who knows someone to verify that at the very least the own (or pwn maybe) that email address. Thawte uses a web of trust model like PGP to verify actual identities (names rather than just emails). > BTW, are any of the PLUGers in the thawte web of trust and can sign off > on the other members? If not, it may be worth getting a few who can do it. I'm a Thawte WOT notary but I can only award 10 points. Of course, if other notaries want to assert for me too we can all bump up the number of points we can give. If I can make it out to the next meeting or if you're coming to the UTOSC I'm happy to help. Please have at least one "original trusted photo-identity document" with you. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
