[Gpg4win-users-en] S/MIME vs. OpenPGP (was: How do I prevent dirmngr.exe from ...)

Bernhard Reiter bernhard at intevation.de
Mon Sep 8 09:58:07 CEST 2014 

On Sunday 07 September 2014 at 11:50:16, Werner Koch wrote:
> On Fri,  5 Sep 2014 09:41, bernhard at intevation.de said:
> > So when downloading a certificate or certificate validity information.
> > Dirmngr does just this. But it makes S/MIME more secure by default than
> > OpenPGP, because X.509 has embedded standards for checking certificate's
> > validation, e.g. via revocation lists or OCSP. You can also do this with
> > OpenPGP, but there it is non-standard.
>
> For the records: I disagree with Bernhard's statements.  S/MIME is not
> more secure than OpenPGP.  

I did not claim that S/MIME is overall more secure than OpenPGP.

I wrote that a standard service for checking on the validity of certificates
makes a crypto application more secure. Dirmngr enables evocation checking
for S/MIME an X.509 certificates, it offer such a service for X.509.
This is a plus for X.509 and S/MIME.
Of course someone could run a similiar service for OpenPGP's certificates,
but this is less frequently done.-

You have pointed out some drawbacks of X.509, which there are many.
But there are also points where typical usage of OpenPGP has disadvantages 
compared to S/MIME. Of course it depends on your crypto application and 
requirements if one or the other is to be prefered from the security point of 
view.

> With OpenPGP you know what you get.  Instead of using the Web of Trust,
> you may also resort to exchange fingerprints via business cards, letter,
> or phone calls.  That is easy and you you keep full control of your door
> keys.  No need to go to "AAAAAAA Key Service" to get an allowance to
> actually turn the key in your own lock of your own door.

The result of the usage of web of trust that I've seen is that it is very hard 
to find certificates of communication partners that you rarely communicate 
with. The handling of trust chains is a hassle. So it is quite easy that one 
of your people on 2nd tier are actually not taking their certification deeds
very serious or got lured to sign a key.

> Regarding standards: S/MIME has not even a standard on how to distribute
> keys. It is pure luck if you are able to find a suitable key via some
> non-standardized LDAP scheme.  OpenPGP has a mesh of keyservers which is
> no official standard but works good enough for 20 years.

The LDAP schemes are somewhat standardized, but hey, with a keyserver you 
never know if the found certificate really belongs to your communication 
partner. :)

I guess we both agree that the currently used systems need a lot of 
improvements.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20140908/f6f02ae3/attachment.sig>

More information about the Gpg4win-users-en mailing list