HOME 4 The passphrase Top 6 Installing Gpg4win5 Two methods, one goal: OpenPGP & S/MIME Contents German

5 Two methods, one goal: OpenPGP & S/MIME

You have seen the importance of the "envelope" for your e-mail and how to provide one using tools of modern information technology: a mail strongbox, in which anyone can deposit encrypted mails which only you, the owner of the strongbox, can decrypt. It is not possible to break the encryption as long as the private key to your "strongbox" remains your secret.

Still: If you think about it, there is still another problem. A little further up you read about how - in contrast to the secret key method - you do not need to personally meet the person you are corresponding with in order to enable them to send a secret message. But how can you be sure that this person is actually who they say they are? In the case of e-mails, you only rarely know all of the people you are corresponding with on a personal level - and it is not usually easy to find out who is really behind an e-mail address. Hence, we not only need to warrant the secrecy of the message, but also the identity of the sender - specifically authenticity.

Hence someone must authenticate that the person who wants to send you a secret message is real. In everyday life, we use ID, signatures or certificates authenticated by authorities or notaries for "authentication" purposes. These institutions derive their right to issue notarisations from a higher-ranking authority and finally from legislators. Seen another way, it describes a chain of trust which runs from "the top" to "the bottom", and is described as a "hierarchical trust concept".

In the case of Gpg4win or other e-mail encryption programs, this concept is found in almost mirror-like fashion in S/MIME. Added to this isOpenPGP, another concept that only works this way on the Internet. S/MIME und OpenPGP have the same task: the encryption and signing of data. Both use the already familiar public key method. While there are some important differences, in the end, none of these standards offer any general advantage over another. For this reason you can use Gpg4win to use both methods.

The equivalent of the hierarchical trust concept is called "Secure / Multipurpose Internet Mail Extension" or S/MIME. If you use S/MIME, your key must be authenticated by an accredited organisation before it can be used. The certificate of this organisation in turn was authenticated by a higher-ranking organisation etc. - until we arrive at a so-called root certificate. This hierarchical chain of trust usually has three links: the root certificate, the certificate of the issuer of the certificate (also CA for Certificate Authority), and finally your own user certificate.

A second alternative and non-compatible notarisation method is the OpenPGP standard, does not build a trust hierarchy but rather assembles a "Web of trust". The Web of Trust represents the basic structure of the non-hierarchical Internet and its users. For example, if User B trusts User A, then User B could also trust the public key of User C, whom he does not know, if this key has been authenticated by User A.

Therefore OpenPGP offers the option of exchanging encrypted data and e-mails without authentication by a higher-ranking agency. It is sufficient if you trust the e-mail address and associated certificate of the person you are communicating with.

Whether with a trust hierarchy or Web of Trust - the authentication of the sender is at least as important as protecting the message. We will return to this important protection feature later in the compendium. For now, this information should be sufficient to install Gpg4win and understand the following chapters:

Chapter 7 of this compendium, which discusses the creation of the key pair, therefore branches off to discuss both methods. At the end of Chapter 7 the information is combined again.

© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under the GNU Free Documentation License v1.2.

HOME 4 The passphrase Top 6 Installing Gpg4win5 Two methods, one goal: OpenPGP & S/MIME Contents German