I have S/MIME vs GPG questions.

[VirginSnow at vfemail.net]

In message <alpine.LFD.2.00.0906011224050.4470 at saturn.syslang.net>, "Steven W. 
Orr" writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Some of this is technical and some clearly fluctuates between ranting and 
> a political perspective.
> 

...welcome to GNHLUG-discuss. ;)

> * What are the pros and cons of using GPG to sign/encrypt versus using 
> S/MIME? I understand that S/MIME provides for signing by an attachment. Is 
> this better?

>From what I've read, the two schemes provide functionally equivalent
services: privacy via encryption, authentication via digital
signature, and key management.

Both OpenPGP and S/MIME support detached signatures, and both can be
used with the multipart/signed MIME type.  OpenPGP also supports its
own ASCII format for clearsigned messages (your message, to which I am
replying, is an example).  Both OpenPGP and S/MIME support the
multipart/encrypted MIME type.  Because OpenPGP can sign a message and
encrypt it (done by signing the message, encrypting it, and then
armoring the result), you may also find signed & encrypted data in a
multipart/encrypted message.

> 
> * Even if I don't have a cert already created, why does alpine not
> perform the verification of S/MIME messages for me when I get such
> messages?  And how can I make this happen automatically when they
> happen?

Well, I've never used Alpine, so I can only speculate that it might be
configured to automatically verify signed messages.  However, keep in
mind that signature verification is ONLY possible if you have a copy
of the sender's public key.  Similar to automatically fetching images
when HTML mail is read, there is also a privacy risk to automatically
fetching keys: it can reveal with whom your are communicating and
when.

> Do S/MIME people publish their public keys the same way the PGP/GPG
> people do? Or is it different?

S/MIME has registered MIME types for both sending and requesting keys.
PGP keys are typically exchanged on a keyserver, or by email.  The
application/pgp-keys MIME type can be used for mailing PGP keys.
However, I have not seen any MIME mechanism in OpenPGP for
*requesting* keys.

> * What really is a good book to read on S/MIME? I have read the GPG material 
> but S/MIME is not a topic of discussion in that literature.

I don't read books.  I read RFCs. :)

OpenPGP is defined by a few RFCs (primarily RFC 4880).  S/MIME is
defined by some half a dozen RFCs.  I've read the OpenPGP RFCs.  I
won't even go near the S/MIME RFCs until I have at least a free decade
to spare. ;)

The following page, though a bit dated, does a good job of explaining
what S/MIME is and how it compares and contrasts with OpenPGP.  It
also lists the RFCs defining the respective protocols.

http://www.imc.org/smime-pgpmime.html

In essence, S/MIME was designed by an industry consortium and is based
on standard data formats.  OpenPGP was designed by the PGP community,
and uses almost exclusively home-grown packet formats.

> * Does S/MIME (alpine or otherwise) have the capability to look up a
> public k ey like gpg does? Or do I have to manually trade keys with
> people?

Even if you automatically retrieved a sender's public key, you would
still have to verify that the key you received is authentic.  With
OpenPGP, this is done by having the sender read you his/her key
fingerprint, or by having his key signed by a trusted "introducer".

> * I seem to see that the public key created by GPG is really just a simple 
> key, while the S/MIME associated public key seems to have full blown X.509 
> content, at least the DN component.

OpenPGP keys are anything but simple.  If you have the "pgpdump"
program, which parses OpenPGP messages, you can examine the packet
structure of a key and see all the encoded values.  Don't let the
ASCII armor fool you, they're really quite complex inside. :)

> The technical end aside, I feel strongly motivated to see how to encourage 
> more people to *use* this stuff. I talk to people and they look at me like 
> I'm nuts for thinking that there's even a good reason for it. Am I alone 
> or are there really a lot of people who use and succeed at getting more 
> people to use it?

People look at me like that when I tell them that their cordless
phones aren't private.  They don't SEE anyone listening to them...  so
the assumption is that there ISN'T anyone else listening.

Nevertheless, I continue to exchange keys with people.  In the past
month or so, I've exchanged keys with three new PGP users.  Of them,
two are still using it.  One of them, however, continues to send me
plaintext (you know who you are).

> 
> Thanks.

> -----BEGIN PGP SIGNATURE-----

BTW, this message was sent clearsigned.  If you use content-type
application/signed, you may gain additional benefits from MIME support
in your MUA.