Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

Derek Atkins <> Wed, 06 July 2016 15:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 95DB112D0A4 for <>; Wed, 6 Jul 2016 08:00:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DycpiLte0dNM for <>; Wed, 6 Jul 2016 08:00:29 -0700 (PDT)
Received: from (MAIL2.IHTFP.ORG []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1AD5312B05F for <>; Wed, 6 Jul 2016 08:00:29 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id A9637E203F; Wed, 6 Jul 2016 10:59:57 -0400 (EDT)
Received: from ([]) by localhost ( []) (amavisd-maia, port 10024) with ESMTP id 06418-09; Wed, 6 Jul 2016 10:59:55 -0400 (EDT)
Received: from (IHTFP-DHCP-159.IHTFP.ORG []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by (Postfix) with ESMTPS id B9B87E2040; Wed, 6 Jul 2016 10:59:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1467817194; bh=Wa77qmMVgW8Ghugkr2dxPlAc73UZrTV1z782487W+Og=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=Uj7ykXqBseOptuwAbLCjxl8k0ZUqeGrm/Nu8DPZBfzLRQzwFM9yJZcw5TfHIszYSQ APwUlzdIMXqols9mkMAVfyp416A5CiwHws11oeqTrD6/KvGXF/OqSIu+0YiaVEvFFL wQPieEmkQxI1ESimbOxeVBeDU3feaN4TwTsen69A=
Received: (from warlord@localhost) by (8.15.2/8.14.8/Submit) id u66Exoe7024818; Wed, 6 Jul 2016 10:59:50 -0400
From: Derek Atkins <>
To: Phillip Hallam-Baker <>
References: <20160701153304.332d2c95@pc1> <> <> <> <> <>
Date: Wed, 06 Jul 2016 10:59:50 -0400
In-Reply-To: <> (Phillip Hallam-Baker's message of "Tue, 5 Jul 2016 19:05:20 -0400")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <>
Cc: IETF OpenPGP <>, Jon Callas <>
Subject: Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Jul 2016 15:00:31 -0000

Phillip Hallam-Baker <> writes:

>     There's how you issue certificates (the whole CA/introducer issue(s)),
>     whether certs contain one key or key sets, how they are transported (S/
>     MIME puts them in the message, OpenPGP in directories etc.), and even the
>     role of the internal layering. Note that OpenPGP is a binary (and UTF-8 is
>     still binary) object protocol with a drizzling of MIME-encoding frosting
>     over the top. That frosting is subject to its own interpretations. S/MIME
>     in contrast *starts* with the email and MIME object and underneath there's
>     CMS, usually almost as an afterthought. (Did you have a momentary "huh?"
>     in your head when you read CMS? Many people do, and that's the point.) S/
>     MIME starts at the top, OpenPGP starts at the bottom.
>     And oh, there are also other things that have to be re-hashed like ASN.1
>     all over again and the things it drags along like encoding rules. This is
>     a good deal why perhaps its better to just push the other things up into
>     software. The reason that there are the two standards is that they address
>     different views of the world, technical as well as political.
> ​Two views of the world that are rather absolutist and thus wrong. Some parts
> of the world are hierarchical, others are not. A trust infrastructure needs to
> support both. But it isn't clear such infrastructure is best implemented
> inside a client.

OpenPGP can support hierarchical certificate deployments just fine (my
company is building one) as well as the Web of Trust model.  X.509
cannot support a Web of Trust deployment, period.

So there is a clear winner here.

       Derek Atkins                 617-623-3745   
       Computer and Internet Security Consultant