Sunday, December 9, 2007

PGP or S/MIME?

Q:Which one do you prefer?

A:Hi ...,
As discussed above, the right solution depends on the requirements,

Attached below are the areas that I usually check when I need to compare implementation options:

I assume that your question is for messaging (E-mail and the IM)

1- Interoperability -- For enterprise projects my first priority is the interoperability.
Whichever you choose, there will always be 3rd parties using the other method. I test interoperability before making any other decisions. Even a single protocol like S/MIME can have problems when communication with different implementations. I always check if the preferred solution can switch from PGP to S/MIME, S/MIME to OpenPGP , Open PGP to TLS etc... If you will deploy in-house only the interoperability problem goes away but in that case you can easily claim that the exchange or lotus notes built –in features are good enough.
2-Key Management: Encryption/Signing is not the problem.. Key management makes it tough. Keys/Certs have to be transparent, they should easily be reset/revoked/changed/ If you have an enterprise PKI deployment S/MIME makes sense.. PGP works great if you work with PGP Corp's commercial deployment which makes the key management easy.
3-Use S/MIME v3 only, other version (v3) may create security problems due to 40 bit keys, also check for IETF RFC compatibility in both implementations.
4-I would prefer S/MIME under perfect conditions where most of the messaging clients have built-in support.
S/MIME RFCs are more up to date as well... But again, have you ever seen a full/successful PKI deployment? S/MIME will bring all the cert problems (managing certs?) back. Expired certs and the signed messages with these certs are problem.
5-PGP Corporation's PGP solutions are preferred where you need to have it running tomorrow, and where you integrate disk encryption, transparent gateway, application encryption etc...
6- OpenPGP is a good idea (for home), but check the enterprise key management/interoperability/support issues at your operation
7- I always verify if I have an answer for the delivery of encrypted emails to users who do not have encryption capabilities. There a lot of transparent web based solutions
8- I do check in-the-cloud service providers like Google/Postini or Microsoft/Frontbridge Zix and my current employer.
9- I always check turnkey solutions from PGP, Ironport, Tumbleweed, Ciphertrust, Zix, PostX, Voltage with in-house and co-managed options.

Let me know if this list helps. I may elaborate more based on your feedback,

cheers,
- yinal

No comments: