gmail smime, sends two messages one is not encrypted. Experience?

Uwe Brauer oub at
Tue Dec 10 18:20:55 CET 2019

>>> "MHWvG" == Mark H Wood via Gnupg-users <gnupg-users at> writes:

   > On Sun, Dec 08, 2019 at 10:38:43AM +0100, Uwe Brauer via Gnupg-users wrote:
   >> Now to the question s/mime versus gnupg.
   >> There are the following points which make s/mime easier.
   >> 1. Key generation. In s/mime you apply for a certificate and don't
   >> have to generate the key by yourself.

   > Oh, I hope not.  The point of asymmetric crypto is that you never,
   > ever, give your private key to anyone, even, *especially*, the CA.
   > The proper way to get an X.509 certificate is to generate a keypair,
   > keep the private key private, and send a CSR containing the public key
   > to the entity which will issue the certificate.

Ah, sorry for the sloppy formulation. You are completely right.

The process is, usually[1], as follows

    1. For example using Comodo, you apply for a certificate.

    2. Your keypair is generated by your own crypt module of the
       browser (quite some time ago I had a look at the corresponding
       javascript and it did not look suspicious).

    3. You receive a link via email, which you have to open with the
       same browser and the same computer and your keys get signed.

However the user usually does not notice all these steps, and this is
what I meant.

In the case for pgp the user has to generate a keypair him/herself and
believe me, for most users this is much more complicated than 'applying
for a certicate in comodo'.

[1]  there is one exception
     they really generate a keypair and send it to you, no kidding. That
     seems to me a mayor security breach, to say the least

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5025 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list