jens.lechtenboerger@fsfe.org writes:

> Hi Greg!
>
>> I'm a longtime epg user with gnupg (coming from mailcrypt and then
>> pgg), and generally it works well.  I am now trying to get set up with
>> S/MIME to interact with some people who do encrypted mail that way,
>> and finding it harder than it seems I should.
>
> If I understand correctly, they already use S/MIME, right?  So, probably
> this choice is not yours to make, but I recommend OpenPGP over S/MIME,
> as explained in a blog entry:
> https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/

You will notice that my messages to this list are signed with OpenPGP.
Indeed my question is about how to interoperate with people that already
use S/MIME.

Your blog post conflates the common PKI model and the S/MIME standard
itself - which I realize is how normal people come to this.  Some
organizations use S/MIME but only configure their own CAs as trust
anchors.  This is quite sane.  But I agree that that vast CA list is
goofy and inflicted on most people.

>> 1) What is the thinking on the default for smime between epg/gpgsm and
>> openssl?
>
> My recommendation is to stay away from openssl.  Use gpgsm.

So perhaps the defaults should be flipped in gnus, so that epg/gpgsm is
used, throwing an error if not found (or silently not decoding merely
signed?), unless someone has explicitly asked for the openssl version?

>> 3) When verifying openpgp/mime, I am notified of decryption status as
>> well as signatures, so that I know the message was encrypted.  I don't
>> see any hint of this with epg/gpgsm.  Any advice, other than figure it
>> out and send a patch?
>
> For signed plaintext messages I see the verification status.  For signed
> and encrypted ones not.  My advice is to go for OpenPGP :-)

You vastly overestimate my status as world dictator :-)