[Gpg4win-devel] vs S/MIME (Re: Putty and ECDSA support for gpg-agent in 2.0)

Wed Jul 10 13:41:21 CEST 2013

On Wednesday 10 July 2013 at 13:15:30, Dr. Peter Voigt wrote:
> I cannot exactly remember the content of the dialog anymore. But
> most annoying fact to me was that there is not the one Root CA. 

We should improve the text here then.

> You can 
> only assume that it's meant to be the Root CA that might have issued
> your email certificate and private key. And moreover, even if you know
> this information during installation you should configure it better
> after installation - just the same way you do it with your OpenPGP
> private/public key and all the S/MIME keys/certificates. 

Out of my experience, it is best to think about the list of root CAs
during install, otherwise the S/MIME part is not correctly installed.
This especially true for administrators that serve more users than themselfs.

> And all those people that want to use Gpg4win just for OpenPGP email
> communication simply do not need any Root CA at that stage of
> installation and maybe even never later on.

Yes for those user group it is superfluous.

> As I suppose most people use Gpg4win for secure email communication.
> And most of them do prefer OpenPGP to S/MIME for it. 

For both assumptions we lack hard evidence.
S/MIME tends to be used more within organisations, especially larger ones.

[Now we are into S/MIME vs OpenPGP]

> That is 
> particularly true as it is much harder to get an S/MIME private key and
> certificate - independently if you have issued it with your own PKI and
> CA or if you have received it issued by an official CA. 

Is it? It really depends. If you just get it from your ca, it is quite 
straightforward.

> And key distribution is much easier with OpenPGP as you can simply use all
> those public keyservers. To my knowledge there is no such mechanism to
> receive S/MIME certs.

The most easy: Just ask the other participant to send a signed email. The 
certificates will be included.
Second best: Just search for certificates in directory services, e.g. via the 
LDAP.

> It's time consuming to collect all needed 
> certificates for a verification of the complete certificate chain.

This usually is much harder with OpenPGP in a lot of situations. Employing 
http://pgp.cs.uu.nl/mk_path.cgi for instance.

And again, nice S/MIME clients just send the certificates along. All but the 
root certificate, which you need to have configured. In situations where on 
admin configures the root cert list for a group of users, there is nothing to 
be done by the users. 

> That's why the Root CA dialog should not appear during installation of
> Gpg4win: It will mostly not address the right user group.

-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20130710/d3e6b637/attachment.sig>