SMIME vs PGP

Robert J. Hansen rjh at sixdemonbag.org
Wed Feb 6 23:18:29 CET 2008 

SeidlS at schneider.com wrote:
> I am not a encryption expert, and need some help from the GnuPG user
> group.

While you can probably get some good pointers here, if you're looking
for an answer you can rely on you will either need to do a fair bit of
homework or else contract with an outside information security
consultant.  Information security is a subtle subject and many people
who claim to know things actually know very little about those things.

I, of course, am no exception.

> We have a new software product that has the capability of encrypting 
> documents using SMIME.  How common is SMIME and used outside of email
> clients?

S/MIME support (note the slash) is built into virtually every
proprietary email client as a standard feature, and is present in many
of the open-source ones.  Outlook, Thunderbird, Lotus Notes, Apple's
Mail.app, and more, all support it out-of-the-box.

S/MIME integration with mail clients is substantially better than
OpenPGP's integration with mail clients.

> Is it compatible with the OpenPGP standard, and thus GnuPG?

On some level, theoretically, sure, given that S/MIME uses X.509
certificates, and X.509 certificates can be finessed into the Web of
Trust.  However, you will need a lot of elbow grease and a really big
crowbar, and the resulting Frankenstein's Monster will not be pretty.

I have never seen this done in practice.  S/MIME and OpenPGP
interoperability is, AFAIK, a theoretical chimera.

> Is there a good website discussing the differences between the two 
> standards?

I can't answer this without knowing what level of detail you're
interested in, difference-wise.  From an end-user perspective S/MIME and
OpenPGP provide essentially identical capabilities.  Slightly more
involved than that, S/MIME and OpenPGP use many of the same algorithms.
  More involved than that, they handle all manner of internal things
differently.

If you want to come to a fairly comprehensive understanding of both, I
would recommend reading RFC3852 ( http://tools.ietf.org/html/rfc3852 )
and RFC4880 ( http://tools.ietf.org/html/rfc4880 ).  S/MIME is based
upon the former, and OpenPGP is defined by the latter.

More information about the Gnupg-users mailing list