>>> "Adam" == Adam Sjøgren <a...@koldfront.dk> writes:
> Uwe writes: >> This is not about impose, this is about practical matter. > Sure. My point is that I don't want to tell people how to handle their > email. I still don't understand. I say: I want to interchange encrypted mail with someone. I don't care whether it is gpg or smime, but my experience tells me it is easier for the other one to use smime. What has this to do with «imposing»? >> Suppose you want to interchange confidential information with someone >> outside the GNU/emacs world and that person has very little computer >> knowledge. For him/her pgp is a nightmare to install. Smime not. > I understand that this is how you feel. You haven't convinced me > this is the case. You just keep stating that it is. I cannot convince you, since you obviously have not had the same experience, good for you. > I see. I have never heard of anyone (but you) using S/MIME with any of > these programs. Oh, 99\% of the persons I am in contact with (not counting people on mailing lists on software issues like the gnus or auctex list etc) do not use Emacs but use either Apple mail, Thunderbird or outlook (or a webmail interface which is another matter). So if I want to interchange encrypted emails with them, I am faced between pgp or smime. Smime is included already in these programs, well that first step is therefore solved, no extra installation is needed. > So, in my eyes, PGP is much easier here. I don't even know how to tell > someone to "apply for a certificate signed by a root authority", much > less how to get the certificate into their chosen email-program. But > every "illiterate" computer user knows this? I explain that it a minute. It seems that you are not familiar with the issue of PKI https://en.wikipedia.org/wiki/Public_key_infrastructure or with smime https://en.wikipedia.org/wiki/S/MIME I don't want to write here a long explanation since this gets off topic easily. The main issue with asymmetric encryption is not encryption but authentication. In a nutshell: how can you be sure that the public key you obtain belongs to the person, it claims it belongs to? This is the famous man in the middle attack. The answer is to sign a public key and here PGP and SMIME take two very different approaches: - PGP creates a net of trust: there are key servers where you can upload your public keys so that it can be signed by people you trust. As a rule of the thumb: one should trust a public key if its signed by somebody one trusts or if this is not the case, trust a key which has a lot of signatures. One should never just use a public key which has been sent to him/her, since one cannot trust it. - SMIME has a hierarchical model: there are a dozen or so certificate authorities (CA) which can sign keys. Keys signed by these authorities have to be trusted 100 \%. All software mail programs I listed are configured such that public keys signed by these authorities are trusted. That is why it is unproblematic to send a public key by email, contrary to pgp. If you don't think that obtaining a certificate (a public key signed by a CA) is easy please visit https://www.comodo.com/home/email-security/free-email-certificate.php (This is just a site I know there are dozen others) Fill in name and email address, after a while you receive an email with a link, which after clicking on it[1] , does the following - if you (not you Adam, but you the generic user) use seamonkey the certificate is already installed and since seamonkey is basically firefox+thunderbird you are done. - if you are using firefox, the certificate is installed in firefox you have to export it and then to import it to your mail client thunderbird say or gpgsm/gnus - if you use safari, the certificate gets downloaded to your Desktop you double click and restart Apple mail and you are done. This is *not* easy? Installing pgp, a plugin and generating a pgp key is easier? Well if you think so then I cannot convince you. > It is literally one line of configuration. Much easier than "applying > for a certificate signed by a root authority" - what so-called > "illiterate" person even knows what those words mean, much less how to > do it? But this is a serious security risk (if not a breach) if you download a key without checking its signatures it before. See my comments above. > Oh, and, ooops, that's exactly what you say the problem with creating a > PGP key is. > Maybe we should wrap this up, as both are, as far as I know, > equally supported by Gnus, and so this is wandering off topic. This topic has turned to «what is easier to use SMIME or PGP», which came up in that tread, however in fact is not so relevant for the GNUS list and that is why it better to drop it here and to continue off-list if needed. Regards Uwe Footnotes: [1] (important: you must use the *same* browser on the *same* machine, you used for applying the certificate for that operation) _______________________________________________ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
