On Sep 9, 2013, at 9:26 PM, John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
Um, didn't this start out as a discussion about how we should try to get
people using crypto, rather than demanding perfection that will never
happen?
Yes.
Typical S/MIME keys are issued by CAs that verify them by
sending you mail with a link. While it is easy to imagine ways that
could be subverted, in practice I've never seen it.
The most obvious way that it can be subverted is that the CA issues you a key
pair and gives a copy of the private key to one or more others who would like
either to be able to pretend to be you, or to intercept communication that you
have encrypted. I would argue that this is substantially less trustworthy
than a PGP key!
Of course you can _do_ S/MIME with a non-shared key, but not for free, and not
without privacy implications. (I'm just assuming that an individual can get
an S/MIME Cert on a self-generated public key—I haven't actually found a CA who
offers that service.)
Same issue. I can send signed mail to a buttload more people with
S/MIME than I can with PGP, because I have their keys in my MUA.
Hypothetically, one of them might be bogus. Realistically, they aren't.
Very nearly that same degree of assurance can be obtained with PGP; the
difference is that we don't have a ready system for making it happen.
E.g., if my MUA grabs a copy of your key from a URL where you've published it,
and validates email from you for a while, it could develop a degree of
confidence in your key without requiring an external CA, and without that CA
having a copy of your private key. Or it could just do ssh-style
leap-of-faith authentication of the key the first time it sees it; a fake key
would be quickly detected unless your attacker controls your home MTA or the
attacked identity's home MTA.