[messaging] S/MIME in corporate settings (was Re: TOFU to ease PGP key discovery)

Andy Isaacson adi at hexapodia.org
Mon Feb 9 09:30:50 PST 2015

On Mon, Feb 09, 2015 at 09:20:13AM -0800, Trevor Perrin wrote:
> But is it really true that S/MIME is "much more widely used in
> corporate deployments than PGP"?  Do you have numbers on that, or more
> info on who/where all this S/MIME adoption is?

I don't have numbers, and in fact I don't have even secondhand knowledge
of a specific deployment, but the presence of tools makes it extremely
likely that S/MIME is used in at least some enterprises.

Apple Mail (on OSX) and Exchange (on Windows, or via the rich web UI)
have S/MIME interoperability and Kerberos (Active Directory) identity
key discovery.  I think Blackberry's email client supports it, too.

I've had Apple Mail users unintentionally send me signed emails due to
having a certificate generated for unrelated purposes, bound to their
email address by a helpful CA, and Apple helpfully finding the
certificate on the Keyring and transparently using it to sign outbound
email.  (I queried the sender for what hoops he'd had to jump through to
get S/MIME signing to work and his response was "signed email?")  Mutt
tries to verify S/MIME sigs and will even succeed sometimes if the
Debian CA list contains the relevant roots.


More information about the Messaging mailing list