-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, May 05, 2002, at 6:31:23 PM PST, Lynna Lunsford wrote:
> Forgive me if this has been covered previously but If I choose to > use the Internal SMIME signing feature.... > There are a few additional configuration options available. Which > should I be using? > ENCRYPTION algorithm ( available choices ) > 3DES (156 bit) > IDEA (128 bit) > RC2 (128 bit) > SIGNING algorithm ( available choices) > SHA1 (160 bit) > MD5 (128 bit) I would recommend: 3DES for the encryption, and SHA1 (SHA160) for the Hash algorithm. Still though, if you have the choice to use either S/MIME or PGP, I would recommend using PGP - for several reasons. > And isn't the purpose of signing a message to prove that it actually > came from you - as opposed to the purpose of encrypting a message ( > keeping the content FYEO( private ). In theory, partially yes. If you use a Thawte "Freemail" certificate, your recipients can only verify *two* things about a particular message. Since I'm no expert on S/MIME, I assume these two things are as follows: 1) If any content has been altered since the message was signed. 2) The signer has access to the email address associated with the signing certificate. Without more positive proof of ownership of the key (more than an email ping confirmation), one cannot assert that a Thawte Freemail/S/MIME signed message is coming from *a particular person*. Even with PGP, if a message is signed with an untrusted key, only two things can be verified: 1) If any content has been altered since the message was signed. 2) The signer has access to the private key and passphrase used to sign the message (or has access to the private key and a carelessly cached passphrase). Note: Number "2" above is slightly different for S/MIME and PGP... With some S/MIME implementations (like MS CryptoAPI), no passphrase is necessarily required to sign a message with an installed certificate (depending on chosen "security level" for a particular certificate). The certificate is associated with a particular email address. In the case of an S/MIME certificate set to a lower level of security, *anyone* can sit at your computer, and write/sign/send a message from your email account. Obviously, a message signed by someone other than you, but using *your* certificate, is entirely possible. With PGP, the passphrase must be used to decrypt the private key for signing, but the "User ID" can contain *any* email address (or none at all) that the user wanted to use during key generation. If one takes care of one's private PGP key and passphrase (and is not careless with passphrase caching), a PGP signed message - even signed by an untrusted key - can theoretically give a recipient a better idea that a message was signed by the person who claims to own the key (still though, until further confirmation of personal ownership of the key is independently established, just *who* that person is cannot be verified by verifying a signature). To trust a verification of *who* signed a message - with either S/MIME or PGP - there must be further independent, secure verification of key ownership (see "Web of Trust"). When it comes to Web of Trust, I still feel better with a properly used PGP than I do with a properly used S/MIME. > Therefore would it not be appropriate to sign all messages but only > encrypt those where the content is sensitive ? That makes sense. It's up to the individual to decide what is appropriate to encrypt (put in an envelope) and what is appropriate to just be clear signed (put on a postcard). > Final question, if I then use the internal SMIME with whatever > configuration options this list deems as appropriate will the list > members then all be able to read smime signed messages without > difficulty? Yes - but I personally would put more trust in a PGP signed message. I would also prefer a PGP clear signed message over an S/MIME signed message because it takes up fewer bytes. I have other reasons to trust PGP over S/MIME, but that's going a bit beyond usage issues of S/MIME vs. PGP with TB! (not that I'm known for always staying "on-topic" at all times! :-)) Melissa - -- PGP public keys: mailto:[EMAIL PROTECTED]?subject=0xFB04F2E9&Body=Please%20send%20keys -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAjzV6pMACgkQjVbXUvsE8umGXwCfRQlXugFVczVXp7SiAom2j9NB dRIAniPDFt52CO1OV0wDvGx/GWCFXPBz =Edwq -----END PGP SIGNATURE----- ________________________________________________________ Current Ver: 1.60i FAQ : http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED] Bug Reports: https://bt.ritlabs.com
