embedded public key in signature as in smime.

Werner Koch wk at gnupg.org
Wed Jan 9 16:32:20 CET 2013


On Wed,  9 Jan 2013 15:35, oub at mat.ucm.es said:

> I started to use smime recently and besides its flaws I have to admit
> that the key interchange is easier (most likely be more insecure) 

With S/MIME you can send the keys because it is a centralized system and
all trust comes the root certificate which has already need installed on
the system.  Actually sending the the certificate with the mail is
required because there is no easy other way to retrieve a certificate.
With OpenPGP we have it much easier and do not need to resort to that
silliness of sending several K of certificates for a one liner.

Sending the certificate is even bad because it implies that you never
need to look out for revocations.  The funny thing is that S/MIME looks
online for revocations, but can't do so for certificates.  Thus the
argument of using a more secure offline connections is a bit flawed.

BTW, if you are able to put the keyblock/certificate into the DNS, users
have an easy way to get it.

You may also configure your mail client to always attach the OpenPGP
key, that makes it pretty clear and easy to send you (or Mallory) an
encrypted reply.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list