[openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

[Hanno Böck <hanno@hboeck.de>]

Hi,

Maybe this is a crazy idea, but I wanted to throw it into the
discussion.

IMHO a big problem with e-mail encryption is that there are two
competing "official" standards: OpenPGP and S/MIME. Both are RFCs, so
both have a kinda "official" IETF approval.
I think it was a big mistake to create two competing standards in the
first place, but that was back in the 90s. So we may ask if we want to
live forever with this situation or if it can be fixed.

One of the most common explanations for the two standards I hear
is that S/MIME is the solution for business communications while
OpenPGP is more for private users. This never made a lot of sense to
me, because there are plenty of situations where "business" people may
have to communicate with "private" people. And the requirements aren't
any different. E-Mail encryption is supposed to ensure that no
unauthorized people can read or manipulate your mail, that doesn't
change whether you're using E-Mail for private or business
communication. So essentially I think there is no rational case for
competing standards.

So the question is: Instead of making RFC4880bis a "new OpenPGP
standard", could it instead be a successor of both OpenPGP and S/MIME?
Maybe it needs a new name, maybe not. There seems to be an smime working
group and there is still some activity, although the last RFC was
published in 2009. Things would obivously have to be coordinated so
that there is wide acceptance of the new standard.

Technically it would probably mean to create a compatibility layer to
be able to use both X.509 certificates and PGP keys to encrypt. But
that shouldn't be too hard, as the keys itself are just numbers, the
major difference is just the storage format.

Maybe this is a crazy idea, but maybe this could also be a chance to
fix one of the biggest mistakes in email encryption.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42