On Tue, 2003-02-18 at 22:27, Andrew Jorgensen wrote:
> I don't use GPG. I sign my emails with a cert I got from Thawte for 
> free (as in beer, um apple juice, i guess). I use the SMIME features 
> that mozilla comes with.
> 
> Personally I'm more comfortable with SMIME. If my cert includes my 
> name (which is doesn't yet) that means that a few people who's 
> identities have already been established have checked my ID and 
> verified that I am who I say I am. SMIME, PKIX, etc. are more of an 
> industry standard than PGP/GPG.

I don't know about that.  I've seen far more pgp-signed messages in the
wild than SMIME.  I'd say PGP is the de facto standard.  Anyone know if
the utah digital signature law recognizes pgp sigs?  (Utah does have a
law making digital signatures legally binding.)

> 
>  From what I understand PGP is more of an "I say I am who I am" thing 
> than a "Several people, or even organizations, can vouch for my 
> identity" thing.

Correct.  If you read the gpg white paper "Web of Trust" you'll find
it's a very good model, probably even superior to the trusted third
party method.

> 
> Considering the troubles PGP has had (with NAI, etc.) and it's lack of 
> acceptance in industry (I could be wrong there), I think SMIME is 
> probably the way to go.

pgp is no longer even a concern. gpg ensures that the format will live
on.

Also, SMIME isn't universally accepted by e-mail clients that I use and
my recipients use. I know evolution can't see them.  Not sure about
mutt.

> 
> Anyone want to disagree? (Not trying to start a holy war, just want to 
> learn why some of you use GPG instead of SMIME.)

Sure.  GPG is here, free, easy, and the de facto standard in the world
most of us are in (you know -- the hacker world :).  We all use
evolution or mutt around here, and pgp sigs work well with those
clients.

Also, gpg is now used to sign rpms from redhat, so I think within the
corporate linux world, gpg will be used even more, even if people don't
realize it (behind the scenes).

> 
> One point might be the status of the standards. Someone mentioned that 
> the RFCs about PGP et.al. are still just proposals and have been 
> stagnant for several years. PKIX et.al. have been official standards 
> for a while now and are considered mature.

Umm, lots rfcs seem to be "proposed."  Personally I put a lot more faith
in a "proposed" rfc than any supposed standard microsoft throws at me.

> 
> Another point you might make is that it's a bigger pain to get a cert 
> for SMIME. My counterpoint would be that it should be, else how do I 
> know it's really you.
> 
> Does GPG give you a false sense of security? Or can you justify that 
> sense?

Depends on if I trust you or not.  If I know you are who you say you are
(suppose we met in person), then I can verify the key with a fingerprint
and sign the key myself, verifying that I trust it.  Then if I pass your
key onto my friend, if he trusts and signs my key, then he'll also
automatically trust your key.  Take this far enough and I think
authenticity is pretty sure.

Now, I use (well, used) gpg for 2 reasons.  One is to make sure e-mails
from me really are from me (that's the big issue you bring up).  The
other is that I can completely encrypt a message to you, knowing that
you and only you can read it and it only could have come from me.

I guess what I'm trying to say, is that it's not hard to verify the keys
of my family and friends.  Once I have them and sign them, then I never
have to worry about it after that as long as they keep their private key
private (same issue would exist with smime).  And who knows, this might
be a valuable or essential thing to have.

Michael


> 
> Happily learning all I can,
> 
> Andrew
> 
> 
> ____________________
> BYU Unix Users Group 
> http://uug.byu.edu/
> ___________________________________________________________________
> List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list
-- 
Michael Torrie <[EMAIL PROTECTED]>


____________________
BYU Unix Users Group 
http://uug.byu.edu/ 
___________________________________________________________________
List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list

Reply via email to