Email encryption with S/MIME or OpenPGP?

Email encryption with S/MIME or OpenPGP?

[Rainer M Krug]

[-- Attachment #1: Type: text/plain, Size: 523 bytes --]

Hi

At the moment I am using OpenPGP to sign and encrypt my emails, but
this does not work easily on my iPhone (please tell me otherwise if it
does?).

But the iPhone implements S/MIME encryption. Now what are the advantages
of using each as a standard signing / encryption? Which one is better /
safer? I have OpenPGP working via gnus on a Mac and am happy with it. 

So - what are others using and why? Should I use S/MIME instead?

Cheers,

Rainer

-- 
Rainer M. Krug

email: RMKrug<at>gmail<dot>com

[-- Attachment #2: Type: application/pgp-signature, Size: 494 bytes --]

Re: Email encryption with S/MIME or OpenPGP?

[Uwe Brauer]

[-- Attachment #1: Type: text/plain, Size: 2089 bytes --]

>> "Rainer" == Rainer M Krug <Rainer> writes:

   > Hi
   > At the moment I am using OpenPGP to sign and encrypt my emails, but
   > this does not work easily on my iPhone (please tell me otherwise if it
   > does?).

No it is not, unfortunately. There is no native support and the 3rd
party pkgs are not terrible easy to use, since they are not integrated
with the email reader. One of them is even not gpg conform and it was
impossible to import an old gpg key of mine.

This was one of the reasons for me to switch to smime.

   > But the iPhone implements S/MIME encryption. Now what are the
   > advantages of using each as a standard signing / encryption? Which
   > one is better / safer? I have OpenPGP working via gnus on a Mac and
   > am happy with it.

Both use  a-symmetric encryption and are both safe, what is radially
different is the distribution of public keys. Pgp/gpg has a key model in
which you generate your key pair and distribute your public key or
uplaod it to a server. The problem is not safety but authency  so in gpg
you hope that your key on the server gets signed but a sufficient amout
of trustworthy people.

Smime has a hirachical model. There are a couple of organisations with
posses a root certificate in which signed public keys (called
certificates). You typically apply for such a certificate (a process in
which the encryption module of your bowswer generate your private key),
the authority then allows you to download your certificate signed by
their root certificate, confirming usually only the authenticity of your
email address.

   > So - what are others using and why? Should I use S/MIME instead?


Well it is much easier to use and also easier to convince others to use
it as well, because


    -  It is integrated in your email reader usually. 

    - You do not have to generate a key pair for your self.

    - And you do not need to exchange the public keys, they are
      automatically included in your signature.

    -  it is compatible with the iPhone.

cheers

Uwe Brauer 

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5556 bytes --]

Re: Email encryption with S/MIME or OpenPGP?

[Rainer M Krug]

[-- Attachment #1: Type: text/plain, Size: 2611 bytes --]

Uwe Brauer <oub@mat.ucm.es> writes:

>>> "Rainer" == Rainer M Krug <Rainer> writes:
>
>    > Hi
>    > At the moment I am using OpenPGP to sign and encrypt my emails, but
>    > this does not work easily on my iPhone (please tell me otherwise if it
>    > does?).
>
> No it is not, unfortunately. There is no native support and the 3rd
> party pkgs are not terrible easy to use, since they are not integrated
> with the email reader. One of them is even not gpg conform and it was
> impossible to import an old gpg key of mine.
>
> This was one of the reasons for me to switch to smime.

Hm - not nice. I thought there would be an easy option.

>
>    > But the iPhone implements S/MIME encryption. Now what are the
>    > advantages of using each as a standard signing / encryption? Which
>    > one is better / safer? I have OpenPGP working via gnus on a Mac and
>    > am happy with it.
>
> Both use  a-symmetric encryption and are both safe, what is radially
> different is the distribution of public keys. Pgp/gpg has a key model in
> which you generate your key pair and distribute your public key or
> uplaod it to a server. The problem is not safety but authency  so in gpg
> you hope that your key on the server gets signed but a sufficient amout
> of trustworthy people.
>
> Smime has a hirachical model. There are a couple of organisations with
> posses a root certificate in which signed public keys (called
> certificates). You typically apply for such a certificate (a process in
> which the encryption module of your bowswer generate your private key),
> the authority then allows you to download your certificate signed by
> their root certificate, confirming usually only the authenticity of your
> email address.

Thanks - the difference is clear to me. 

>
>    > So - what are others using and why? Should I use S/MIME instead?
>
>
> Well it is much easier to use and also easier to convince others to use
> it as well, because
>
>
>     -  It is integrated in your email reader usually. 
>
>     - You do not have to generate a key pair for your self.
>
>     - And you do not need to exchange the public keys, they are
>       automatically included in your signature.
>
>     -  it is compatible with the iPhone.

Good arguments - but I am using a Mac and the GPG version for
the mac does not yet included gpgsm - so I have the option of using the
homebrew version, wait, or not use easyPG in GNUS.

Cheers,

Rainer
 

>
> cheers
>
> Uwe Brauer 

-- 
Rainer M. Krug
email: Rainer<at>krugs<dot>de
PGP: 0x0F52F982

[-- Attachment #2: Type: application/pgp-signature, Size: 494 bytes --]

Re: Email encryption with S/MIME or OpenPGP?

[Uwe Brauer]

[-- Attachment #1: Type: text/plain, Size: 514 bytes --]

>> "Rainer" == Rainer M Krug <Rainer> writes:


[snip]


   > Good arguments - but I am using a Mac and the GPG version for
   > the mac does not yet included gpgsm - so I have the option of using the
   > homebrew version, wait, or not use easyPG in GNUS.

You mean it is not included in ports? One reason more for me not to
switch to a Mac.... :'(

Ok I never tried to compile it myself, but I presume it cannot be that
hard. At least if I were you, I would give it a try.


bye

Uwe Brauer 

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5556 bytes --]

Re: Email encryption with S/MIME or OpenPGP?

[Uwe Brauer]

[-- Attachment #1: Type: text/plain, Size: 401 bytes --]

>> "Rainer" == Rainer M Krug <Rainer> writes:

   > Uwe Brauer <oub@mat.ucm.es> writes:
   >>>> "Rainer" == Rainer M Krug <Rainer> writes:


[snip]

   > homebrew version, wait, or not use easyPG in GNUS.

You mean using  openssl , as described in emacs-wiki? I tried this
out and I reached the point of not using smime at all, since it was so
cumbersome, till I learned about easyPF and ggpsm. :-D



[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5556 bytes --]

Re: Email encryption with S/MIME or OpenPGP?

[Rainer M Krug]

[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]

Uwe Brauer <oub@mat.ucm.es> writes:

>>> "Rainer" == Rainer M Krug <Rainer> writes:
>
>    > Uwe Brauer <oub@mat.ucm.es> writes:
>    >>>> "Rainer" == Rainer M Krug <Rainer> writes:
>
>
> [snip]
>
>    > homebrew version, wait, or not use easyPG in GNUS.
>
> You mean using  openssl , as described in emacs-wiki? I tried this
> out and I reached the point of not using smime at all, since it was so
> cumbersome, till I learned about easyPF and ggpsm. :-D

That is what I am trying to get to work - but somehow I am struggling.

Is somebody using here s/mime on a mac via easyPF and gpgsm from
homebrew? I get the error when calling gpgsm from the commandline:

,----
| $ gpgsm -s
| gpgsm: certificate is not usable for signing
| gpgsm: certificate is not usable for signing
| gpgsm: certificate is not usable for signing
| gpgsm: note: non-critical certificate policy not allowed
| gpgsm: can't connect to the dirmngr: IPC connect call failed
| gpgsm: certificate #1F134CE9BDA747F504F32D21E06EC854/CN=COMODO Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
| gpgsm: checking the CRL failed: No dirmngr
| gpgsm: error creating signature: No dirmngr <GpgSM>
| 
| $ dirmngr
| Segmentation fault: 11
`----


Rainer

>
>

-- 
Rainer M. Krug
email: Rainer<at>krugs<dot>de
PGP: 0x0F52F982

[-- Attachment #2: Type: application/pgp-signature, Size: 494 bytes --]

Re: Email encryption with S/MIME or OpenPGP?

[Uwe Brauer]

[-- Attachment #1: Type: text/plain, Size: 1340 bytes --]

>> "Rainer" == Rainer M Krug <Rainer> writes:
   >> 
   >> You mean using  openssl , as described in emacs-wiki? I tried this
   >> out and I reached the point of not using smime at all, since it was so
   >> cumbersome, till I learned about easyPF and ggpsm. :-D

   > That is what I am trying to get to work - but somehow I am struggling.

   > Is somebody using here s/mime on a mac via easyPF and gpgsm from
   > homebrew? I get the error when calling gpgsm from the commandline:

   > ,----
   > | $ gpgsm -s
   > | gpgsm: certificate is not usable for signing
   > | gpgsm: certificate is not usable for signing
   > | gpgsm: certificate is not usable for signing
   > | gpgsm: note: non-critical certificate policy not allowed
   > | gpgsm: can't connect to the dirmngr: IPC connect call failed
   > | gpgsm: certificate #1F134CE9BDA747F504F32D21E06EC854/CN=COMODO
   > | Client Authentication and Secure Email CA,O=COMODO CA
   > | Limited,L=Salford,ST=Greater Manchester,C=GB
   > | gpgsm: checking the CRL failed: No dirmngr
   > | gpgsm: error creating signature: No dirmngr <GpgSM>
   > | 
   > | $ dirmngr
   > | Segmentation fault: 11
   > `----
hm your dirmngr is also homebrew? I had some issues with dirmngr on
Ubuntu. Did you try 

disable-crl-checks

in your gpgsm conf?


Uwe Brauer 

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5556 bytes --]

Re: Email encryption with S/MIME or OpenPGP?

[Rainer M Krug]

[-- Attachment #1: Type: text/plain, Size: 1595 bytes --]

Uwe Brauer <oub@mat.ucm.es> writes:

>>> "Rainer" == Rainer M Krug <Rainer> writes:
>    >> 
>    >> You mean using  openssl , as described in emacs-wiki? I tried this
>    >> out and I reached the point of not using smime at all, since it was so
>    >> cumbersome, till I learned about easyPF and ggpsm. :-D
>
>    > That is what I am trying to get to work - but somehow I am struggling.
>
>    > Is somebody using here s/mime on a mac via easyPF and gpgsm from
>    > homebrew? I get the error when calling gpgsm from the commandline:
>
>    > ,----
>    > | $ gpgsm -s
>    > | gpgsm: certificate is not usable for signing
>    > | gpgsm: certificate is not usable for signing
>    > | gpgsm: certificate is not usable for signing
>    > | gpgsm: note: non-critical certificate policy not allowed
>    > | gpgsm: can't connect to the dirmngr: IPC connect call failed
>    > | gpgsm: certificate #1F134CE9BDA747F504F32D21E06EC854/CN=COMODO
>    > | Client Authentication and Secure Email CA,O=COMODO CA
>    > | Limited,L=Salford,ST=Greater Manchester,C=GB
>    > | gpgsm: checking the CRL failed: No dirmngr
>    > | gpgsm: error creating signature: No dirmngr <GpgSM>
>    > | 
>    > | $ dirmngr
>    > | Segmentation fault: 11
>    > `----
> hm your dirmngr is also homebrew? I had some issues with dirmngr on
> Ubuntu. Did you try 
>
> disable-crl-checks
>
> in your gpgsm conf?

OK - it is working now after trusting the certificate.

Thanks,

Rainer

>
>
> Uwe Brauer 

-- 
Rainer M. Krug
email: Rainer<at>krugs<dot>de
PGP: 0x0F52F982

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4474 bytes --]