Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:
There's how you issue certificates (the whole CA/introducer issue(s)),
whether certs contain one key or key sets, how they are transported (S/
MIME puts them in the message, OpenPGP in directories etc.), and even the
role of the internal layering. Note that OpenPGP is a binary (and UTF-8 is
still binary) object protocol with a drizzling of MIME-encoding frosting
over the top. That frosting is subject to its own interpretations. S/MIME
in contrast *starts* with the email and MIME object and underneath there's
CMS, usually almost as an afterthought. (Did you have a momentary "huh?"
in your head when you read CMS? Many people do, and that's the point.) S/
MIME starts at the top, OpenPGP starts at the bottom.
And oh, there are also other things that have to be re-hashed like ASN.1
all over again and the things it drags along like encoding rules. This is
a good deal why perhaps its better to just push the other things up into
software. The reason that there are the two standards is that they address
different views of the world, technical as well as political.
Two views of the world that are rather absolutist and thus wrong. Some parts
of the world are hierarchical, others are not. A trust infrastructure needs to
support both. But it isn't clear such infrastructure is best implemented
inside a client.
OpenPGP can support hierarchical certificate deployments just fine (my
company is building one) as well as the Web of Trust model. X.509
cannot support a Web of Trust deployment, period.
So there is a clear winner here.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp