gpgsm and expired certificates

Uwe Brauer oub at
Sun Oct 27 15:46:05 CET 2013

>> "Werner" == Werner Koch <wk at> writes:

   > On Sun, 27 Oct 2013 10:23, pete at said:
   >> Correct, though it is possible (but usually recommend against) to
   >> create a new certificate using the same private keypair as before. In

   > The business model of most CAs is to sell you a subscription by
   > setting the expiration time very low so that they can ask after a
   > year for another fee to create a new certificate.  Here it does not
   > make sense to create a new private key every year.

Well comodo is free (still) and to prolong the certificate  seems free to for
the moment, but I agree I would prefer a government based organisation
which provides this service to its citizen (especially because of all
which was lately revealed about the NSA)
   > GnuPG basically does the same by allowing you to prolong the expiration
   > time.
I don't want to enter a flame war here and in principle I'd prefer gpg
over smime but in reality I have to use smime, because

    -  it is implemented in almost all MUA while gpg is not[1]

    -  it is so much easier to install for the people I communicate with
       than gpg. 

I recall that I tried to convince gpg and after some hours he almost
yelled at me, while he was able to set up smime in 5 minutes.

The reasons for this are the following.

    -  As I said smime is already installed in almost all MUA, so no
       need to install gpg and to install a plugin for the MUA

    -  the user does not have to generate a keypair. Well this is not
       entirely true, as we mentioned earlier, but the user applies for
       a certificate picks it up and he is set.

    -  the user does not have to exchange public keys, he just sends a
       signed message which includes his public key.

So if the big MUAS and not only thunderbird, but at least outlook apple
mail, and iOS mail, would

    -  support gpg natively

    -  when use gpg in the mailreader for the first time, it would
       silently generate a key pair

    -  when sending a signed message it would always embed the public
       key in the signature

Then a think gpg would be as easy to use as smime, but till then....

Uwe Brauer 

[1]  I tried to use gpg on a non jailbroken iPhone and it is honestly a hassle.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5556 bytes
Desc: not available
URL: </pipermail/attachments/20131027/ef92c839/attachment.bin>

More information about the Gnupg-users mailing list