In this chapter, we focused on two exemplary message security protocols, PGP and S/MIME, that are used for secure messaging on the Internet. In spite of their many similarities, there are at least two fundamental differences that lead to a situation in which PGP and S/MIME implementations do not easily interoperate:

  1. PGP and S/MIME use different message formats.

  2. PGP and S/MIME handle public keys and public key certificates in fundamentally different ways:

    • PGP relies on users to directly or indirectly exchange public keys and establish trust in each other.[22] This informal approach to establish a "web of trust" works well for small workgroups but can become hard to manage for large groups.

    • Contrary to that, S/MIME relies on public key certificates that are issued by official (or at least "official-looking") and hierarchically organized CAs and distributed by corresponding directory services.

Again, you may refer to Chapters 8 and 13 of [4] for a more comprehensive overview and discussion about the way PGP and S/MIME handle public keys and public key certificates.

The first difference between PGP and S/MIME is minor and similar to the differences between various formats for image files, such as GIF and JPEG. They basically do the same things from a user's point of view, but their formats are different.

The second difference is more severe with regard to a long-term convergence of PGP and S/MIME. Fortunately, newer versions of PGP additionally provide support for X.509v3 public key certificates (in addition to PGP certificates). Consequently, it is possible and very likely that we will see user agents that can handle X.509v3 public key certificates and process messages that conform to either the PGP or S/MIME formats. In the long term, however, it would be preferable that Internet standardization comes up with one unified secure messaging format and corresponding protocol specification(s). Consequently, it would be necessary to merge the IETF OpenPGP and SMIME WGs into one IETF WG dedicated to secure messaging. Unfortunately, there are too many commercial interests involved to make this happen anytime soon.

[22]Indirect public key exchange uses directory services and PGP key servers.


Internet and Intranet Security
Internet & Intranet Security
ISBN: 1580531660
EAN: 2147483647
Year: 2002
Pages: 144

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net