From: Uwe Brauer <oub@mat.ucm.es>
To: info-gnus-english@gnu.org
Subject: Re: S/MIME with OpenSSL?
Date: Fri, 13 Nov 2015 18:55:21 +0000 [thread overview]
Message-ID: <87r3jtsp9i.fsf@mat.ucm.es> (raw)
In-Reply-To: <87egfvxmiy.fsf@tullinup.koldfront.dk>
>>> "Adam" == Adam Sjøgren <asjo@koldfront.dk> writes:
> Uwe writes:
>> This is not about impose, this is about practical matter.
> Sure. My point is that I don't want to tell people how to handle their
> email.
I still don't understand. I say: I want to interchange encrypted mail
with someone. I don't care whether it is gpg or smime, but my experience
tells me it is easier for the other one to use smime. What has this to
do with «imposing»?
>> Suppose you want to interchange confidential information with someone
>> outside the GNU/emacs world and that person has very little computer
>> knowledge. For him/her pgp is a nightmare to install. Smime not.
> I understand that this is how you feel. You haven't convinced me
> this is the case. You just keep stating that it is.
I cannot convince you, since you obviously have not had the same
experience, good for you.
> I see. I have never heard of anyone (but you) using S/MIME with any of
> these programs.
Oh, 99\% of the persons I am in contact with (not counting people on
mailing lists on software issues like the gnus or auctex list etc) do
not use Emacs but use either Apple mail, Thunderbird or outlook (or a
webmail interface which is another matter). So if I want to interchange
encrypted emails with them, I am faced between pgp or smime. Smime is
included already in these programs, well that first step is therefore
solved, no extra installation is needed.
> So, in my eyes, PGP is much easier here. I don't even know how to tell
> someone to "apply for a certificate signed by a root authority", much
> less how to get the certificate into their chosen email-program. But
> every "illiterate" computer user knows this?
I explain that it a minute.
It seems that you are not familiar with the issue of PKI
https://en.wikipedia.org/wiki/Public_key_infrastructure
or with smime https://en.wikipedia.org/wiki/S/MIME
I don't want to write here a long explanation since this gets off topic
easily.
The main issue with asymmetric encryption is not encryption but
authentication. In a nutshell: how can you be sure that the public key
you obtain belongs to the person, it claims it belongs to? This is the
famous man in the middle attack. The answer is to sign a public key and
here PGP and SMIME take two very different approaches:
- PGP creates a net of trust: there are key servers where you can
upload your public keys so that it can be signed by people you
trust. As a rule of the thumb: one should trust a public key if
its signed by somebody one trusts or if this is not the case,
trust a key which has a lot of signatures. One should never just
use a public key which has been sent to him/her, since one cannot
trust it.
- SMIME has a hierarchical model: there are a dozen or so
certificate authorities (CA) which can sign keys. Keys signed by
these authorities have to be trusted 100 \%. All software mail
programs I listed are configured such that public keys signed by
these authorities are trusted. That is why it is unproblematic to
send a public key by email, contrary to pgp.
If you don't think that obtaining a certificate (a public key signed by a
CA) is easy please visit
https://www.comodo.com/home/email-security/free-email-certificate.php
(This is just a site I know there are dozen others)
Fill in name and email address, after a while you receive an email with
a link, which after clicking on it[1] , does the following
- if you (not you Adam, but you the generic user) use seamonkey the
certificate is already installed and since seamonkey is basically
firefox+thunderbird you are done.
- if you are using firefox, the certificate is installed in firefox
you have to export it and then to import it to your mail client
thunderbird say or gpgsm/gnus
- if you use safari, the certificate gets downloaded to your
Desktop you double click and restart Apple mail and you are done.
This is *not* easy?
Installing pgp, a plugin and generating a pgp key is easier? Well if you
think so then I cannot convince you.
> It is literally one line of configuration. Much easier than "applying
> for a certificate signed by a root authority" - what so-called
> "illiterate" person even knows what those words mean, much less how to
> do it?
But this is a serious security risk (if not a breach) if you download a
key without checking its signatures it before. See my comments above.
> Oh, and, ooops, that's exactly what you say the problem with creating a
> PGP key is.
> Maybe we should wrap this up, as both are, as far as I know,
> equally supported by Gnus, and so this is wandering off topic.
This topic has turned to «what is easier to use SMIME or PGP», which
came up in that tread, however in fact is not so relevant for the GNUS
list and that is why it better to drop it here and to continue off-list
if needed.
Regards
Uwe
Footnotes:
[1] (important: you must use the *same* browser on the *same* machine,
you used for applying the certificate for that operation)
_______________________________________________
info-gnus-english mailing list
info-gnus-english@gnu.org
https://lists.gnu.org/mailman/listinfo/info-gnus-english
next prev parent reply other threads:[~2015-11-13 18:55 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-08 16:15 Jens Lechtenboerger
2015-11-10 16:42 ` Uwe Brauer
2015-11-10 21:41 ` Adam Sjøgren
2015-11-11 9:38 ` Uwe Brauer
2015-11-11 16:12 ` Adam Sjøgren
2015-11-12 9:31 ` Uwe Brauer
2015-11-12 15:31 ` Adam Sjøgren
2015-11-13 18:55 ` Uwe Brauer [this message]
2015-11-14 15:37 ` Trust and public keys (was: S/MIME with OpenSSL?) Jens Lechtenboerger
2015-11-15 21:07 ` Trust and public keys Uwe Brauer
2015-11-16 21:15 ` Jens Lechtenboerger
2015-11-18 15:04 ` Uwe Brauer
2015-11-19 17:05 ` Jens Lechtenboerger
2015-11-22 18:09 ` [smime and gpg] (was: Trust and public keys) Uwe Brauer
2015-11-16 11:32 ` Trust and public keys Uwe Brauer
2015-11-12 19:20 ` S/MIME with OpenSSL? Peter Münster
2015-11-13 18:21 ` Uwe Brauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r3jtsp9i.fsf@mat.ucm.es \
--to=oub@mat.ucm.es \
--cc=info-gnus-english@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).