S/MIME or PGP/MIME?

[Lionel Elie Mamane]

--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 06, 2001 at 05:14:34PM -0800, Paul Holman wrote:

> I think there are a couple really important things to learn from the=20
> S/MIME mailer implementations we've seen:

IMHO, these are convenience-over-security choices.

> 1	Key Propogation
> S/MIME mailers attach the cert to every outgoing message and notice
> when a cert is attached to incoming messages and add it to the
> keyring (mixing metaphors a bit).

Bandwidth waste... And this is polluting the keyring with potentially
invalid (faked) keys. Adding a key to the keyring in the user's back
certainly isn't good an idea.

> 2	Opportunistic Encryption
> Try sending a message to half a dozen recipients when you only have
> keys for half of them.  S/MIME mailers will encrypt tho those it
> can, and send cleartext to the rest.

Hu? That's clearly a security risk. If you want the message encrypted
and it silently sends it as cleartext... You mean they really do that?
Oh my god...

> 3	Seamless Integration (My favorite!)
> S/MIME mailers never show you any cyphertext.  They just have little
> icons to indicate when a message was encrypted or verified
> successfully.

Mutt does that >:-)

> However, the problem isn't that the mailer developers are doing it=20
> wrong, it is that they haven't been given the tool they need - an open=20
> source OpenPGP toolkit.

libgpgme?

--45Z9DzgjV8m4Oswq
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8EGXTscRzFz57S3MRAhV8AKC3jTzN5MN+xg80xkSeXVnUxEEKMACgsv+w
jcRFKaHavPPluB/weJ2HLEs=
=6R1S
-----END PGP SIGNATURE-----

--45Z9DzgjV8m4Oswq--