Sign in or Join FriendFeed
FriendFeed is the easiest way to share online. Learn more »
Leo Laporte
Leo Laporte
I broke down and bought a Verisign cert for Apple Mail. So what are the pros and cons of S/MIME certs vs GPG/PGP signing?
September 1 - Comment - Share
Con #1: You had to buy a cert. - Curtis Hendzell
Con #2: You'll have to keep buying certs. - Sanjay Parekh
You can get free certs from Comodo and Thawte. Verisign was more convenient for me - and it's only $20/year. - Leo Laporte
I've gotten the free ones from Thawte but never have gotten approved by the circle of trust thingy. It seems a bit hard to do. But nice in theory. - Sanjay Parekh
More webmail clients use gpg that I've seen, but otherwise I think S/MIME has good representation in email applications. - Jeremy Heslop
Of course then I find this: https://addons.mozilla.org/en-US... - Jeremy Heslop
I'm curious.. Do you use these for Digital Signing (authentication)? or Encryption? - Randall Hand
S/Mime is what tends to be supported in Enterprise IT applications. GPG/PGP tends to the individual although I have seen plugins for Outlook. Its a similar question to whether you select Sendmail and Thunderbird (GPG/PGP) over Exchange and Outlook (S/Mime) when you make IT decisions. - Craig Duerr
I used S/MIME for a couple years with Mail.app and it does get irritating to deal with yearly expiration which most certs are. The other issue is that some people will start to routinely automatically encrypt email to you (whereas most people don't have GPG, S/MIME support is pretty widespread) and if you ever lose your cert or access from webmail you'll not be able to read their emails. - Gersham Meharg
S/MIME relies on trust of corporations (Certificate Authorities). (pgp|gpg) relies on trust of individuals and is more granular. Also there's the monetary cost (already mentioned.) - Kevin W. Mullet
Three big differences: support, key trust, portability. Leaving aside webmail, which (with notable exceptions) generally don't support either of them ... when it comes to support, S/MIME is the clear winner: almost every email client supports S/MIME out of the box, and basically none of them support PGP. - Joel Bennett
Trust: With the exception of some odd "free" certs, SSL cert providers generally make some effort to associate a REAL IDENTITY with a certificate --that is, not just an email address, but a human being. You can obviously attest to this yourself. The "free" certs are generally issued to an email address (ie: the "name" will be the email address rather than a person's name) to signify the lower trust. GPG on the other hand is always self-generated and non-verifiable (apart from peer-based "key signing" parties). And there's the expiration/renewal problem... - Joel Bennett
Portability: PGP/GPG are trivially portable, and in fact most such tools offer the option to "sign" or "encrypt" (and test signatures) on any free text, because the signing is done in pure text. However, that (generally speaking) means you're restricted to plain text ;-) and, well, S/MIME is basically the opposite ;-p - Joel Bennett
Thunderbird+Enigmail addon+GnuPG is my preference at my desk. GnuPG + Firefox + FireGPG addon is awesome on the web and really decent inside Gmail. FireGPG can also help with other GPG tasks generally on the web. It's great! Throw in a key-signing party and trust of keys is no sweat! - Andrew Skretvedt
It's too bad you didn't go for a CAcert! It would've been an interesting statement to make. - A. Karl Kornel from twhirl
@Sanjay: Are there enough people in your area to meet with? If not, have you tried the trusted third party route? I was able to do the former with Thawte, but did the latter with CAcert. - A. Karl Kornel from twhirl