BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] PGP Basics

Subject: [Discuss] PGP Basics
From: blu at nedharvey.com (Edward Ned Harvey)
Date: Mon, 10 Oct 2011 21:28:42 -0400
In-reply-to: <CAOxrMGhTZz4KC6mkA-ENNRUUw2m6Uqrsg6Fu0m+9wuZo9ZxPuQ@mail.gmail.com>
References: <CAOxrMGhTZz4KC6mkA-ENNRUUw2m6Uqrsg6Fu0m+9wuZo9ZxPuQ@mail.gmail.com>

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Kyle Leslie
> 
> Hola Everyone.  With the recent talk about PGP and the growing need for
its
> use at my company I have been trying to learn about it.

I'll encourage you to look at S/MIME instead.  It's much easier.

Surely some people on this list will say PGP is more secure, and as with
anything, there's a grain of truth which is probably not represented
entirely accurately.  The fundamental difference is this:  S/MIME is based
on SSL, which means anything you send/receive is automatically checked for
validity using the built-in SSL root Trusts.  These are the same
organizations that are used to trust https traffic, or anything else based
on SSL.  

So the grain of truth is like this:  As long as you're trusting a 3rd party
such as verisign or thawte, then there's an attack vector which otherwise
doesn't exist.  An attacker only needs to somehow compromise one of these
root trusts, and then they can forge signatures.  Although rare, this has
been known to happen.  When it happens, the compromised certificate
authority promptly revokes any compromised certs (as soon as they discover
they've been compromised)...  So it's important to keep current with system
updates.

On the flip side, with PGP you don't have automatic trusts.  You need to
somehow decide you trust someone's cert based on some kind of out-of-band
information.  Maybe because the person told you over the phone "I'm sending
it now" and then it arrived a second later, or whatever.  The problem with
something like this is...  Just like the "Are you sure?" prompts that you
get everytime you try to do anything in windows...  People just make a habit
of always clicking "Yes" without thinking about it.

Everyone has their own opinions, about which is more trustworthy and which
is more convenient.  My opinion is that if you're deploying one of these
technologies for your company, IMHO your users would be more secure with
S/MIME, and it's much more convenient.  If you were only deploying it for
yourself, then you as an interested and technical user might actually get
better security out of PGP.

You can get free S/MIME certs from startssl.com, and probably a number of
other locations.  If you're interested, I have an example here:
http://dl.dropbox.com/u/543241/Digital%20ID%20Step%201%20-%20Create%20Cert%2
0IE9%20Win7.pdf
and
http://dl.dropbox.com/u/543241/Digital%20ID%20Step%202%20-%20Outlook%202010.
pdf

Follow-Ups:
- [Discuss] PGP Basics
  - From: gaf at blu.org (Jerry Feldman)

References:
- [Discuss] PGP Basics
  - From: fbxxkl at gmail.com (Kyle Leslie)

Prev by Date: [Discuss] PGP Basics
Next by Date: [Discuss] Is MythTV dead?
Previous by thread: [Discuss] PGP Basics
Next by thread: [Discuss] PGP Basics
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org