Hi, > - - cryptographically, it appears more secure (i.e. larger public key > sizes possible) It's not size that matters, but technique. Seriously, both protocols support the same encryption methods and key lengths. > - - it seems to be more widely used Depending on the community you're looking at. > - - it is easier to use (debateable) Ease of use is a question of the MUA used. > - - its free There are also free implementations of S/MIME available. > - - PGP in general is more flexible No. Basically, the distinguishing mark between both protocols is the trust model implied by it (which is not intrinsic to the protocol, but made by marketing). PGP is the "geek" protocol, anyone can simply generate a key, have it signed by a few people they know and be set. S/MIME is the "corporate" protocol, with a centralized trust structure. It would be no problem to introduce centralized trust into an OpenPGP WOT (in fact, it is being done, e.g. by German computer magazine c't, who offer an OperPGP signing service and have their fingerprint in every issue), and it would be no problem to introduce a WOT into S/MIME. However, there is no incentive to do any of these. Corporations like VeriSign and Deutsche Telekom are making actual money selling certification in a centralized trust model. The rest should be obvious. Technically, the X.509 protocols can do more than OpenPGP. They have, for example, additional attributes on a certificate that specify the fields of use for that key (email, code signing, web services, ...) and whether that key could sign certificates. OpenPGP simply authenticates an entity and makes no assumption or statement about the purpose of the key. So, it's once again a conspiracy backed by evil large corporations that want us all to use S/MIME. :-) Simon -- GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4
Attachment:
signature.asc
Description: Digital signature