-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Boyd Stephen Smith Jr. wrote: > On Saturday 30 September 2006 01:39, "Duncan" <[EMAIL PROTECTED]> wrote > about '[gentoo-amd64] Re: How To Play WMV (thread drift -slaveryware)': >> "Boyd Stephen Smith Jr." <[EMAIL PROTECTED]> posted >> [EMAIL PROTECTED], excerpted below, on Sat, 30 >> Sep >> 2006 01:01:05 -0500: >>> Apparently his mailer >>> (Thunderbird + Enigmail) seems to be singing his messages twice. >> He's signing using two different formats, apparently, smime and pgp/gpg. > > Yeah, they should probably only use one technique to sign their messages. > inline PGP/GPG is deprecated, IIRC, because it doesn't handle attachments > well (or at all?). S/MIME is preferred now but, inline PGP/GPG, being a > bit older, has better support. I know kmail still has some ease-of-use > issues with S/MIME, but I don't think it affects correctness. >
Well, I can probably shed some light on things: 1. Yes, my messages are signed twice (gpg and s/mime). I found half the mailers out there support one or the other, but not always both. So, I use both. Probably doesn't hurt much other than the inline gpg. 2. The signatures probably are valid on every mail reader out there - as far as I can tell. 3. HOWEVER, the s/mime signature is using a cert from cacert.org, which hasn't paid for a webtrust audit - and therefore is not in the root cert list for most browsers/email clients. So, while the signature is valid, the chain of trust probably isn't. 4. cacert is about as open-source as you can get for something like a CA. Unfortunately, while gpg uses the web-of-trust model s/mime uses a top-down model. While most users don't think about it, they're implicitly allowing whoever distributes their software to decide who they will trust... (As an aside, cacert.org is interested in trying to get more mainstream support, but for various (often reasonable) reasons most distributors are more interested in just deferring to webtrust - which is VERY expensive.) The community really does need a better solution for SSL certs. (Yes, you can get an s/mime cert free from the big players, but you certainly can't get one for https...) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFH7LpG4/rWKZmVWkRAh7TAJ0aTgiu1rueTzyUa90OQdi+oWf6HQCcDGfe 7FFtEFj+VjjMHiYi8yWGIyk= =1EY6 -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME Cryptographic Signature