Cryptography Reference
In-Depth Information
in contrast to S/MIME, OpenPGP supports several signatures and user IDs for
each key. Furthermore, OpenPGP already has a working key-server network
that people can easily access to fetch public keys. This makes it relatively
easy, for example, to exchange OpenPGP-compliant encrypted mail with a
new converser, while the strict certification hierarchy of S/MIME can cause
problems if two conversers are not embedded in the same structure. Perhaps
all these problems are only apparent, but I seldom found an S/MIME signature
among the mails I received; I found OpenPGP-compatible signatures more
often.
7.2.2 RIPEM
Insiders know that paper is unusually patient in the electronic data processing
landscape. In particular, a standard formulated by theoretical considerations can
exist for a long time without having an impact worth mentioning on practice,
because there are no suitable implementations.
PEM is undoubtedly one of these standards. The best-known implementation
was called
RIPEM
(
Riordan's Internet Privacy Enhanced Mail
) by Mark
Riordan (you can find two articles about it on the Web site). RIPEM runs
on many UNIX variants as well as DOS, Windows, OS/2, Macintosh, and
Windows NT.
However, RIPEM was not a full implementation of PEM; in particular, it had
no key management. More specifically, RIPEM didn't process PEM certifi-
cates yet, except the Macintosh version. An expansion was planned. Public
keys were fetched using the
finger
command directly from the computer con-
cerned. Moreover, RIPEM was able to create fingerprints, like PGP, for easy
key verification.
RIPEM served primarily for email authentication and secondarily for encryp-
tion, while it is rather the other way around with PGP. RIPEM processes only
simple text files (and no Microsoft Word files, for example), and the line length
is limited to 1023 characters.
Riordan emphasizes two important benefits he thinks PEM has over PGP (in
two articles on the Web site in the FAQs): The first is that PEM was an official
standard while PGP is compatible only within itself. The second benefit is that
PGP violated patent rights and was exported illegally. (That's not bad for the
users, don't you think?)
Both arguments have become irrelevant. OpenPGP and S/MIME have become
the de-facto standards on the Internet. In particular, the security concept of
