-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel A. Urech [MAU] wrote: ... MAU> I am considering using PGP or S/MIME for some business MAU> correspondence (obviously with TB) and, perhaps because I have MAU> not read enough about either, it is not clear to me what are the MAU> advantages and disadvantages of one or the other. Just looking at MAU> this list I see that, of those of you who use it, most use PGP MAU> and just a few S/MIME digital signatures. Why is this so?.
To add to what Marck and Dierk already mentioned. The main difference between the two is verification of sender. Both are equally good at confirming whether or not the message has been tampered with. Unlike PGP where you have a public key in hand to verify messages with, a public key that you can eventually associate with a particular sender over an extended period of time, there doesn't seem to be facility for this when using S/MIME. You have to rely on the central certification authority. The certification authority rely on the integrity of their notaries who will sign keys as being really owned by their owners who's identities are verified through *personal* interaction and presentation of the relevant documents to prove identity. If a notary signs your key, and your name is associated with the key, I can assume the message is really from you once I can trust the certifying authority. PGP doesn't work that way. It relies on a 'web of trust' where we sign each others keys and the signatures are integrated at the keymanager level to generate trust for keys that you may have received for the first time and cannot personally verify. An example would be if you met Marck and signed his key. Marck has signed my public key as well. If you were to receive my public key, the trust level of my key will go up for you since it was signed by a key that you signed yourself as being authentic and really owned by Marck. This system takes certification away from a central authority which is better. The disadvantage is that for the web of trust to work, you have to have signed at least one key as having been authentic. However, this is usually not a problem when using PGP in an organisation where the users often meet and can easily verify each others keys. An effective web of trust can therefore, be easily propagated. OTOH, if you're the lone user out there who receives a message from god only knows who, then S/MIME would be the better route towards having some form of verification of the persons identity since verification is performed centrally without your input. Some purists may perhaps rightfully say that verification is an all or none thing so a central certifying authority with potential for corruption is really meaningless and doesn't make sense. But it's up to you. :-) Hope that helps. - -- - -=Allie C Martin=- [List Moderator] PGP/GPG Public Key: mailto:[EMAIL PROTECTED]?Subject=2B0717E2 _____________________________________________ �TB! v1.60g on Windows XP Pro `� -----BEGIN PGP SIGNATURE----- iD8DBQE8xzSGV8nrYCsHF+IRAhM6AJ9T9M6mOXB8SDC8dF74HvoQVJNTjACeOdeL pQiVzM5IO9g24GzXmOvVlcU= =rjS5 -----END PGP SIGNATURE----- ________________________________________________________ Current Ver: 1.60c FAQ : http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED]
