Relevance of PGP?

[me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org (Matthew Gillen)]

On 06/10/2011 12:44 PM, Tom Metro wrote:
> Edward Ned Harvey wrote:
>> I am very surprised to hear people using the term "PGP" as if it were
>> synonymous with "Email signing/encryption."  As far as I'm concerned, S/MIME
>> has already won the war on email signing/encryption.
> 
> I wish that were true, but can you name any organization that routinely
> uses S/MIME when sending mail to recipients outside their organization?

US DoD.  Of course, they have their own CAs that you have to add to your
trusted CA list before you can validate anything (well, more precisely
before most email clients will validate).  They are big enough that they
can get away with that though...

> Phishing could be all but wiped out if these organizations adopted
> S/MIME. 

True, but only to the extent that people could be trained recognize
their email-client's notifications about "this message was signed"/"this
message was *not* signed".  Much like the various tricks web browsers do
to make it more obvious when https is being used.

But even then, it's still not foolproof: I could get a trusted CA to
sign a cert for a similar looking email address, and the email client
will happily proclaim "this message was signed by it's sender!".

Yes, there are other clues one could look for in the message (e.g. that
email address isn't one I've seen before, etc).  But that just goes to
my point: there isn't one thing you can do to wipe out phishing.
Reckless application of crypto only leads to the illusion of security...

Matt