S/MIME or PGP/MIME?

Marc Mutz mutz@kde.org
Fri Dec 7 11:13:02 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 07 December 2001 08:19, Paul Holman wrote:=20
<snip>=20
> >> 2=09Opportunistic Encryption=20
> >> Try sending a message to half a dozen recipients when you only=20
> >> have keys for half of them.  S/MIME mailers will encrypt tho those=20
> >> it can, and send cleartext to the rest.=20
> >=20
> > Hu? That's clearly a security risk. If you want the message=20
> > encrypted and it silently sends it as cleartext... You mean they=20
> > really do that? Oh my god...=20
>=20
> Again, this is implementation specific.  If the mailer wants to=20
> report which users it can encrypt to, great.  If not, this is a way=20
> to make sure we get at least some of them.=20
=20
If you encrypt messages you want nobody else than the recipients to be=20
able to read them, no? Please tell me why you then want to send the=20
same message encrypted to some and unencrypted to some others?=20
Worse: This provides attackers with known plaintext, ie. they can=20
compare the plaintext with the ciphertext. Generally, this has to be=20
avoided.=20
=20
KMail's new beta (out next week) will have opportunistic encryption for=20
OpenPGP. We took the approach to tell the user that some recipients=20
won't be able to read the message, but we cetainly don't send the same=20
message encrypted and unencrypted.=20
=20
> >> 3=09Seamless Integration (My favorite!)=20
> >> S/MIME mailers never show you any cyphertext.  They just have=20
> >> little icons to indicate when a message was encrypted or verified=20
> >> successfully.=20
> >=20
> > Mutt does that >:-)=20
>=20
> Great to hear.  If I ever learn to configure Mutt, I'll try it out!=20
=20
You should try KMail. It's OpenPGP fetaures only lack PGP/MIME support=20
now and that is being worked on by the AEGYPTEN team.=20
=20
> >> However, the problem isn't that the mailer developers are doing it=20
> >> wrong, it is that they haven't been given the tool they need - an=20
> >> open source OpenPGP toolkit.=20
> >=20
> > libgpgme?=20
>=20
> Yes, libgpgme is a good start.=20
<snip>=20
=20
It's not only a good start. Apart from the fact that it lacks NAI PGP=20
backend processing for idealistic reasons, it's _the_ way to when=20
talking about OpenPGP<->MUA(<->S/MIME) integration!=20
=20
Marc=20
=20
- -- =20
Nie wird so viel gelogen wie vor der Wahl, w=E4hrend des Kriegs und nach=20
der Jagd                                          -- Otto von Bismarck=20
=20
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8ELJp3oWD+L2/6DgRAiKpAJwK16emDULm/q1EAI7jiwQdh2E5rgCgy/lY
zHY+w5lrOWVrl6WzLBpT28Y=3D
=3DoYky
-----END PGP SIGNATURE-----