[Gpg4win-users-en] S/MIME vs. OpenPGP

Werner Koch wk at gnupg.org
Mon Sep 8 16:02:42 CEST 2014


On Mon,  8 Sep 2014 09:58, bernhard at intevation.de said:

> I wrote that a standard service for checking on the validity of certificates
> makes a crypto application more secure. Dirmngr enables evocation checking
> for S/MIME an X.509 certificates, it offer such a service for X.509.

Which is a requirement for S/MIME.  However. in practise CRLs do not
work on a global scale.

> Of course someone could run a similiar service for OpenPGP's certificates,
> but this is less frequently done.-

You have the numbers?  I can only guess.  Broken CRLs often go
undetected for weeks but when I released a GnuPG version with a bug in
--refresh-keys it took only hours for people to detect that.

> The result of the usage of web of trust that I've seen is that it is very hard 
> to find certificates of communication partners that you rarely communicate 
> with. The handling of trust chains is a hassle. So it is quite easy that one 

So what?  You need a trusted communication channel to someone you don't
know?  No key validation scheme will help you here.  Without having an
established trust connection to your peer you won't send him
confidential data anyway.

> of your people on 2nd tier are actually not taking their certification deeds
> very serious or got lured to sign a key.

There is no need for that.  It maps the real world experience: If three
of your friends say, I trust "that person", you have some indication
that it is "that person".  What else could you known about that person?

> The LDAP schemes are somewhat standardized, but hey, with a keyserver you 
> never know if the found certificate really belongs to your communication 
> partner. :)

Yeah, within one organizational entity, this is usuallay the same
scheme.  But that's it.  OpenPGP also has an defacto standard LDAP
scheme for those who want to use LDAP.  And there is only one scheme in
use.

Similar to keyservers an LDAP does give you any hin on the validity
(trust) of the key (certifciate).

> I guess we both agree that the currently used systems need a lot of 
> improvements.

S/MIME is broken by design because it has been build on the assumption
of a global directory (X.500 the global directory of the X.400 mail
system).  This global directory does not exists and thus S/MIME requires
dozens of sometimes contradicting workarounds and a lot of hand waving.

OpenPGP steps that all aside and does not define any infrastructure.
Nevertheless the keyservers came to life and are still the easiest way
to find a key for a mail address and to upload a revocation.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gpg4win-users-en mailing list