GnuPG for a small company -- Questions before I start

[Joseph Oreste Bruni]

On May 16, 2007, at 5:08 AM, Jim Berland wrote:

> P.S.: I never came into contact with certificates like the ones from
> Thawte or CACert.org before and I don't know anybody who uses them.
> Considering the problems I see with GPG for this task, though, I
> wonder if certificates would do the job better or easier. Is this even
> the way other companies are going?


Conceptually there isn't anything really different between X.509  
certificates and PGP keys with regards to encrypting email, other  
than the trust models typically employed by each.

In the certificate model, one's certificate is issued by an  
implicitly trusted third party. The root certificates are pre- 
installed by the operating system or software vendors and they just  
work. Most email clients make using them quite simple.

PGP supports the rooted trust model, but it also supports other  
models. Typically, although not exclusively, PGP uses the web of  
trust where you must exchange keys ahead of time, and cross sign them  
to establish explicit trust.

In practice, however, I can get non-technical people using  
certificates in a lot less time then it takes to get them using PGP.  
On the other hand, if you are encrypting files to be distributed via  
HTTP or FTP, I find PGP a lot easier to work with than certificates.

In reality the two technologies are almost identical, but the end- 
user tools need a lot of work to truly blur the current artificial  
distinction.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070516/aa0a3502/attachment.bin