> That doesn't sound as if you were a friend of these. Since I saw a few > using S/MIME in this list, what might have been their reason? Is > S/MIME better established with non-free software?
We had a discussion in February about this. Check out Jeremy's excellent posts: http://marc.theaimsgroup.com/?l=mutt-users&m=101258931506891&w=2 http://marc.theaimsgroup.com/?l=mutt-users&m=101260020607114&w=2 and, in the interest of equal time, Will's counterpoint: http://marc.theaimsgroup.com/?l=mutt-users&m=101260114609607&w=2 Some excerpts from Jeremy's messages: S/MIME does not use keyservers like OpenPGP does. It also does not have a web of trust concept, instead relying on central CAs. They consider this an advantage, since it means you can always verify a message regardless of your current network connection status, etc... all that you need to verify the message is containted in the message itself and your local list of trusted CA certs. [...] The difficulty of PGP is what's kept it from being publically accepted as a normal thing to do [...] People need to accept encryption the way they accept envelopes on snail mail. They never would have globally accepted these if you couldn't use one unless you knew how to make your own adhesive, ink, and stamps. I saw Phil Zimmerman speak a few months ago at ALS in Oakland, and he understands this more than anyone. He expressed a good bit of dismay at how clique-ish PGP usage is, and how much it has missed the mark of being a way to give encryption to the masses and make it normal. He endured all manner of government harassment to defend people's right to use this stuff, and yet years later, hardly anyone is taking advantage of it. It was really interesting hearing him speak. It's too bad he had to stop due to people in the audience arguing that there was no value at all in people using PGP unless they all used it completely securely (the main antagonist noted that he keeps his private keys on a CD and never has that near his computer unless it's completely disconnected from the network), which prompted a bunch more people to complain that there was too much talking and not enough key signing going on. So my summary point is that the mailers designed "for the masses" are choosing S/MIME instead of PGP because PGP's trust model is too complicated for, say, my mother to understand. Look in the PGP manual under, for example, "--edit-key". All kinds of complicated trust issues, with phrases like, "the signature is marked as non-exportable", "this updates the trust-db", "add a subkey to this key", "marginally trusted" "fully trusted", "ultimately trusted" ... I have no idea what most of that means, and no amount of UI design is going to help that. Will Outlook pop up a message which asks Joe AOL User, "Do you marginally trust this, or ultimately trust it?" Joe doesn't understand the security issues. With S/MIME, the only question is, "Do you trust [company] to certify that people are who they say they are?" Assuming Joe does, everything else is completely automatic. -- Mike Schiraldi VeriSign Applied Research
msg27189/pgp00000.pgp
Description: PGP signature
