Apart from the lack of native Outlook support, why should one prefer S/MIME over PGP/MIME for email?

The main reason to prefer one technology over the other is usability. Regardless of the tools you use, email security will depend mostly on how well the users cooperate -- most of the confidentiality of their emails rests on their ability not to do anything stupid with their data, and to react appropriately in unusual conditions. You will get decent security only if the tools they use are available, easy to use and reliable. Therefore, it is difficult to compare S/MIME and OpenPGP in abstracto.

However, we can still make some distinctions on the PKI model. S/MIME relies on X.509, a behemoth of a standard which is meant to support a hierarchical PKI with controlled trust delegation from a limited set of trust anchors and down short paths. OpenPGP uses a Web of Trust which is decentralized. Your expression "blindly trust a CA" says a lot on your own preferences, but is quite subjective.

If you look at how X.509 and OpenPGP operate, you will see that in the Web of Trust, everybody is a CA; hence, while in X.509 you put your trust into a handful of CA, in the Web of Trust you put your trust in... everybody ? That's because most people forget half of the WoT system. In a true WoT, the graph of certification (i.e. who signs the key of who) should be overconnected.

When you want to validate the public key of someone (let's call him Bob), then you need to find certification paths which lead from you to Bob; such a path begins by your public key (which you know "absolutely") and each step is a signature computed over the public key of the next individual in the path. Security in the WoT model comes from the verification of many paths which all begin by you and end on Bob, but with no other individual being common to any two paths. When everybody can act as a CA, any single path is "potentially suspect": when people sign other people's keys late at night and under the auspices of heavy alcohol drinking, you cannot expect all paths to be 100% reliable. An attacker intent on forging a fake key for Bob will just have to find a few gullible or intoxicated individuals. The WoT credo is that "the crowd is right": an attacker may subvert some people, but not most of them. Thus, if you can find many valid paths which lead to Bob, then Bob's key is probably genuine, because bribing or deceiving that many people would have been "probably too hard".

Bottom-line is that the Web of Trust is hard. The description above uses the fuzzy terms "few", "many", "most" and "probably". We do not know how to estimate the number of paths which must be built in order to achieve a given level of security; in fact, we do not know how to quantify a "security level". It is unclear whether WoT can work at all. OpenPGP implementations tend to use a "reliability percentage" which is a totally unsubstantiated guesswork. Of course, in practice, nobody spends time to rebuild many chains; you are already lucky if you find one chain.

When I must exchange confidential data with customers, I use OpenPGP -- but not the Web of Trust. I use OpenPGP because the usual implementations have the ability to bind keys to indentity permanently: if I can make sure once that the key is genuine, then my software will remember it and things will be safe thereafter. So the customer and I exchange the key fingerprints when we meet in person, or over a phone call (which we assume to be safe from impersonations -- eavesdropping is not an issue here).

Such binding is not supported by S/MIME implementations. They could do it (although certificate expiry makes it slightly more difficult) but they do not. It is not intrinsic to X.509 (the X.509 model makes it possible to change your certificate every five minutes, but it does not make it mandatory); but deployed implementations work that way. Usability trumps the PKI model, as I said above, so that's OpenPGP for me.

(Note: in another context, HTTPS relies on the X.509 hierarchical PKI with a few dozens of hardcoded trust anchors, and the same issues arise there too; e.g., see Convergence, which is a proposal to, indeed, bind keys to servers in a semi-permanent way, and which relies on the same "crowd is right" mantra as the WoT. And yet they do that with X.509 certificates, which shows that the actual format for certificates is not that important.)

Tags:

Email

Pgp

Tls

Smime