
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Resources
|
311
the same protocol customarily used on PGP key servers. But whereas trust in PGP/
GnuPG scenarios is generally decentralized, in S/MIME environments, it is usually
centralized with an organization’s Certificate Authority.
Technically, there’s nothing to stop you from running a PGP key server on which
every user key must first be signed by a single “administrative” or “root” key of
some kind, but that wasn’t the way PGP was designed to work. Since S/MIME is
really just an extension of X.509, it works well within the standard PKI model of
highly centralized trust management (“trust no certificate that hasn’t been signed by
the CA”).
Which Should You Use?
Deploying email encryption to any organization is a nontrivial undertaking, and no
matter which system you choose (OpenPGP-based or S/MIME, commercial or open
source), you will need to determine your organization’s real security requirements,
its stomach for complexity, and the best fit for your existing infrastructure and soft-
ware environment. You’ll also need to plan and budget for a major user-education
initiative.
Having said that, I think it’s safe to say that Exchange and Netscape shops will find
S/MIME to be the obvious choice, and PGP or GnuPG will be the best choice if your
users need to routinely exchange encrypted ...