![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Would PGP be the best for a secure internal email communication?
- Thread starter Farrouj
- Start date
As far as I understand PGP uses a web of trust instead of a public certificate authority to sign certificates. Is this the best way to implement internal email security? Or is S/MIME better for some reason?
Farrouj
I think that depends on what you are trying to do. In a relatively small community, the web of trust would be fine, for email sent between members of that community. In a larger context, there might be scalability issues. And there woudl be issues when sending or receiving email from outside the organization.
Farrouj
I think that depends on what you are trying to do. In a relatively small community, the web of trust would be fine, for email sent between members of that community. In a larger context, there might be scalability issues. And there woudl be issues when sending or receiving email from outside the organization.
It's for internal communication between university staff, with maybe hundreds of users. But I guess they would also want to send emails to the outside world?
PGP is an interesting one, I have tried to use it but since no one else does it kinda stopped. But keep in mind email clients like Thunderbird have built in support for PGP, letting you send email encrypted, signed, or with nothing. Plus all you have to do is setup a public facing repository for the public key or use one that already exists like MIT's. I think Thunderbird can even use the repository to automatically get the public keys. The biggest problem with PGP is if a user loses their private key or it gets stolen, well, it can be a really pain to try to fix that.
PGP is an interesting one, I have tried to use it but since no one else does it kinda stopped. But keep in mind email clients like Thunderbird have built in support for PGP, letting you send email encrypted, signed, or with nothing. Plus all you have to do is setup a public facing repository for the public key or use one that already exists like MIT's. I think Thunderbird can even use the repository to automatically get the public keys. The biggest problem with PGP is if a user loses their private key or it gets stolen, well, it can be a really pain to try to fix that.
So you'd say PGP is more practical?
To whether it's more practical, I can't say as I have not had much experience with S/MIME. I can say that with PGP it will be hard for people to use it with things like phones (Never looked up whether there was an email client for android/iOS that supports PGP), if it can be done it won't be as straightforward as the built in email client. There are things like Keybase.io which are trying to make using PGP easier but as of right now majority of people perfer the convience over seciurity. If you were using it for internal use only with a limited number of devices that could use the email then sure its rather easy, just create a key pair for every employee and have them copy the private key to the computers they will be using. Though that brings up whether the computers themselves are secure enough to prevent their keys from getting stolen.
To whether it's more practical, I can't say as I have not had much experience with S/MIME. I can say that with PGP it will be hard for people to use it with things like phones (Never looked up whether there was an email client for android/iOS that supports PGP), if it can be done it won't be as straightforward as the built in email client. There are things like Keybase.io which are trying to make using PGP easier but as of right now majority of people perfer the convience over seciurity. If you were using it for internal use only with a limited number of devices that could use the email then sure its rather easy, just create a key pair for every employee and have them copy the private key to the computers they will be using. Though that brings up whether the computers themselves are secure enough to prevent their keys from getting stolen.
Unless the private keys are protected with GOOD encryption, they will get comprised sooner or later. I thiink that when R, S, and A were devising their protocols, they didn't think about this issue.
Just out of curiousity, what is the need for encrting internal emails? Are you also required to archive emails to support a legal discovery process? It's a pretty steep slope, very slippery.