[Gpg4win-devel] vs S/MIME (Re: Putty and ECDSA support for gpg-agent in 2.0)

Wed Jul 10 14:57:00 CEST 2013

Am Wed, 10 Jul 2013 13:41:21 +0200
schrieb Bernhard Reiter <bernhard at intevation.de>:

> For both assumptions we lack hard evidence.
> S/MIME tends to be used more within organisations, especially larger
> ones.
Right, I've to admit that I conclude it from a view at my keyring:
99,9% OpenPGP keys for verifying downloaded software packages and
email contacts. But that's of course no evidence.

> 
> [Now we are into S/MIME vs OpenPGP]
You're right again - both topics are obviously to closely related.

> 
> > That is 
> > particularly true as it is much harder to get an S/MIME private key
> > and certificate - independently if you have issued it with your own
> > PKI and CA or if you have received it issued by an official CA. 
> 
> Is it? It really depends. If you just get it from your ca, it is
> quite straightforward.
> 
> 
> > And key distribution is much easier with OpenPGP as you can simply
> > use all those public keyservers. To my knowledge there is no such
> > mechanism to receive S/MIME certs.
> 
> The most easy: Just ask the other participant to send a signed email.
> The certificates will be included.
I've rarely seen email partners using S/MIME certs. When investigating
again some of my saved emails from this list I can indeed find two
S/MIME certs being on my keyring. They most probably have arrived there
from the email being S/MIME signed - thus confirming your argument :-).

> Second best: Just search for certificates in directory services, e.g.
> via the LDAP.
Hhmm, have read this many times but never really understood what LDAP
server how to query for what certificates.

> 
> > It's time consuming to collect all needed 
> > certificates for a verification of the complete certificate chain.
> 
> This usually is much harder with OpenPGP in a lot of situations.
> Employing http://pgp.cs.uu.nl/mk_path.cgi for instance.
In theory you're right, but usually it's enough to ask a person you
would like to trust to tell you his key fingerprint, e.g. personally
via phone line. That's enough, e.g. you do not need the whole
trust chain at all. Principally, you could go a similar way with S/MIME
certificates. However, you will allways have to at least trust the
issuing CA as well. Otherwise your browser, email client, etc. will
always emit annoying warnings. Moreover, trusting just the issuing
Root CA(s) is mostly enough to make e.g. browsers happy. But this is a
great security risk as has been recently shown e.g. by Microsoft's
update service. And more examples: Regularly receiving supposedly
PayPal mails pointing to view.paypal-communication.com. The S/MIME
certificate is officially signed by VeriSign Inc. but the website
obviously is a pishing site. So my Browser is happy but trusting my
browser, e.g. the Root CA alone, would be fatal.

Regards,
Peter