Andrew Jorgensen andrew.jorgensen at gmail.com
Mon Aug 20 10:07:20 MDT 2007

On 8/20/07, Steven Alligood <steve at bluehost.com> wrote:
> S/MIME was specifically designed for email, using asymmetric encryption
> and Certificate Authorities (verisign, thawte, etc), attempting to use
> very similar technology to SSL and TLS, whereas PGP sprung up from the
> open source community to encrypt stuff, and was later added into email
> as a nifty way to handle email encryption.
> Choose whichever (or both) suite your needs.  I prefer the method that
> all the major email clients already understand, due to who I email in
> the course of business.  Your mileage may vary.

Another way of looking at the difference is that they do the same
thing but S/MIME is part of the whole SSL public key infrastructure
(PKI), which means that the same people who affirm that the website
you're connecting to is to some degree legit affirm that my email is
really from me.  They both have advantages, of course.  One major
difference that may determine what you or your company uses (or at
least I'm told that the LDS church chose PGP because of this) is the
amount of data it adds to your email.  S/MIME sends more data with
email because there are no directories to look them up on.  This can
be good because you'll generally have the CA certificates already
installed in your email client and that's all you need to verify
authenticity (to the degree that it /can/ be authenticated anyway).

Yet another difference is the model used to establish trust.  PGP
establishes trust by spidering it's way through the people you trust
to find a path to the person you need to authenticate.  Quite often,
unless you're well connected, you don't have a path from you to that
person and you really have no way at all to verify that they are who
they say they are.  S/MIME has a center to it's web so that you don't
have to know someone who knows someone to verify that at the very
least the own (or pwn maybe) that email address.

Thawte uses a web of trust model like PGP to verify actual identities
(names rather than just emails).

> BTW, are any of the PLUGers in the thawte web of trust and can sign off
> on the other members?  If not, it may be worth getting a few who can do it.

I'm a Thawte WOT notary but I can only award 10 points.  Of course, if
other notaries want to assert for me too we can all bump up the number
of points we can give.  If I can make it out to the next meeting or if
you're coming to the UTOSC I'm happy to help.  Please have at least
one "original trusted photo-identity document" with you.

More information about the PLUG mailing list