> Yes, and no. PGP and S/MIME each have their own key distribution > problems. With PGP, it's easy to invent a key, and hard to get other > people's software to trust it. With S/MIME it's harder to get a key, > but once you have one, the software is all happy. That's a bug, not a feature. The PGP key is almost certainly more trust=
worthy than the S/MIME key. Um, didn't this start out as a discussion about how we should try to get people using crypto, rather than demanding perfection that will never happen? Typical S/MIME keys are issued by CAs that verify them by sending you mail with a link. While it is easy to imagine ways that could be subverted, in practice I've never seen it.
> The MUAs I use (Thunderbird, Alpine, Evolution) support S/MIME a lot > better than they support PGP. There's typically a one key command or > a button to turn signing and encryption on and off, and they all > automagically import the certs from on incoming mail.
Yup. That's also a bug, not a feature. I was just wondering why that is. The only implementation I've seen a reference to is Sylpheed, which is not widely used
Same issue. I can send signed mail to a buttload more people with S/MIME than I can with PGP, because I have their keys in my MUA. Hypothetically, one of them might be bogus. Realistically, they aren't. R's, John
<<attachment: smime.p7s>>