[Gpg4win-users-en] S/MIME vs. OpenPGP (was: How do I prevent dirmngr.exe from ...)

Werner Koch wk at gnupg.org
Sun Sep 7 11:50:16 CEST 2014

On Fri,  5 Sep 2014 09:41, bernhard at intevation.de said:

> So when downloading a certificate or certificate validity information.
> Dirmngr does just this. But it makes S/MIME more secure by default than 
> OpenPGP, because X.509 has embedded standards for checking certificate's 
> validation, e.g. via revocation lists or OCSP. You can also do this with 
> OpenPGP, but there it is non-standard. 

For the records: I disagree with Bernhard's statements.  S/MIME is not
more secure than OpenPGP.  It lures you in better security by claiming
that the "certificate" is valid due to all the hard work of one the
hundreds of CAs in the world verifying that the holder of the
certificate is indeed who s/he claims to be.

The reality however is that they merely take money to put a stamp on
your key.  Some of them even offer a service of generating a private key
for you, so that you have a reliable backup source.  Who knows to whom
they may hand over your private key?  And even if they do not operate in
crook mode, the entire X.509 model is broken beyond repair and the
easiest target for NSA/GCHQ/BND to mount a man in the middle attack on
your communication.  Webbrowser meanwhile turn to non standardized
validation services for X.509 keys because they realized that the X.509
system is too often abused.

With OpenPGP you know what you get.  Instead of using the Web of Trust,
you may also resort to exchange fingerprints via business cards, letter,
or phone calls.  That is easy and you you keep full control of your door
keys.  No need to go to "AAAAAAA Key Service" to get an allowance to
actually turn the key in your own lock of your own door.
Regarding standards: S/MIME has not even a standard on how to distribute
keys. It is pure luck if you are able to find a suitable key via some
non-standardized LDAP scheme.  OpenPGP has a mesh of keyservers which is
no official standard but works good enough for 20 years.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gpg4win-users-en mailing list