> Yes, and no. PGP and S/MIME each have their own key distribution
> problems. With PGP, it's easy to invent a key, and hard to get other
> people's software to trust it. With S/MIME it's harder to get a key,
> but once you have one, the software is all happy.
That's a bug, not a feature. The PGP key is almost certainly more trust=
worthy than the S/MIME key.
Um, didn't this start out as a discussion about how we should try to get
people using crypto, rather than demanding perfection that will never
happen? Typical S/MIME keys are issued by CAs that verify them by
sending you mail with a link. While it is easy to imagine ways that
could be subverted, in practice I've never seen it.
> The MUAs I use (Thunderbird, Alpine, Evolution) support S/MIME a lot
> better than they support PGP. There's typically a one key command or
> a button to turn signing and encryption on and off, and they all
> automagically import the certs from on incoming mail.
Yup. That's also a bug, not a feature. I was just wondering why that
is. The only implementation I've seen a reference to is Sylpheed, which
is not widely used
Same issue. I can send signed mail to a buttload more people with
S/MIME than I can with PGP, because I have their keys in my MUA.
Hypothetically, one of them might be bogus. Realistically, they aren't.
R's,
John
smime.p7s
Description: S/MIME Cryptographic Signature