On Sep 9, 2013, at 9:26 PM, John R Levine <johnl@xxxxxxxxx> wrote: > Um, didn't this start out as a discussion about how we should try to get > people using crypto, rather than demanding perfection that will never > happen? Yes. > Typical S/MIME keys are issued by CAs that verify them by > sending you mail with a link. While it is easy to imagine ways that > could be subverted, in practice I've never seen it. The most obvious way that it can be subverted is that the CA issues you a key pair and gives a copy of the private key to one or more others who would like either to be able to pretend to be you, or to intercept communication that you have encrypted. I would argue that this is substantially less trustworthy than a PGP key! Of course you can _do_ S/MIME with a non-shared key, but not for free, and not without privacy implications. (I'm just assuming that an individual can get an S/MIME Cert on a self-generated public key—I haven't actually found a CA who offers that service.) > Same issue. I can send signed mail to a buttload more people with > S/MIME than I can with PGP, because I have their keys in my MUA. > Hypothetically, one of them might be bogus. Realistically, they aren't. Very nearly that same degree of assurance can be obtained with PGP; the difference is that we don't have a ready system for making it happen. E.g., if my MUA grabs a copy of your key from a URL where you've published it, and validates email from you for a while, it could develop a degree of confidence in your key without requiring an external CA, and without that CA having a copy of your private key. Or it could just do ssh-style leap-of-faith authentication of the key the first time it sees it; a fake key would be quickly detected unless your attacker controls your home MTA or the attacked identity's home MTA.