Re: [Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME

• Previous message: madsaxon: "Re: [Full-Disclosure] Re: Knocking Microsoft"
• In reply to: Ben Nelson: "[Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME"
• Next in thread: petard: "Re: [Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME"
• Reply: petard: "Re: [Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Ben Nelson <lists@venom600.org>
Date: Sat, 28 Feb 2004 06:36:46 +0100

Hi,

> - - cryptographically, it appears more secure (i.e. larger public key
> sizes possible)

It's not size that matters, but technique.

Seriously, both protocols support the same encryption methods and key
lengths.

> - - it seems to be more widely used

Depending on the community you're looking at.

> - - it is easier to use (debateable)

Ease of use is a question of the MUA used.

> - - its free

There are also free implementations of S/MIME available.

> - - PGP in general is more flexible

No.

Basically, the distinguishing mark between both protocols is the trust
model implied by it (which is not intrinsic to the protocol, but made by
marketing). PGP is the "geek" protocol, anyone can simply generate a
key, have it signed by a few people they know and be set. S/MIME is the
"corporate" protocol, with a centralized trust structure. It would be no
problem to introduce centralized trust into an OpenPGP WOT (in fact, it
is being done, e.g. by German computer magazine c't, who offer an
OperPGP signing service and have their fingerprint in every issue), and
it would be no problem to introduce a WOT into S/MIME.

However, there is no incentive to do any of these. Corporations like
VeriSign and Deutsche Telekom are making actual money selling
certification in a centralized trust model. The rest should be obvious.

Technically, the X.509 protocols can do more than OpenPGP. They have,
for example, additional attributes on a certificate that specify the
fields of use for that key (email, code signing, web services, ...) and
whether that key could sign certificates. OpenPGP simply authenticates
an entity and makes no assumption or statement about the purpose of the
key.

So, it's once again a conspiracy backed by evil large corporations that
want us all to use S/MIME. :-)

   Simon

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• application/pgp-signature attachment: Digital signature

• Previous message: madsaxon: "Re: [Full-Disclosure] Re: Knocking Microsoft"
• In reply to: Ben Nelson: "[Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME"
• Next in thread: petard: "Re: [Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME"
• Reply: petard: "Re: [Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]