Around 9 months ago I read The Code Book (Simon Singh). A few months later there was an article in Mac User magazine about email security on OS X. Mail.app supports S/MIME "out the box", and the article included a tutorial on getting a legit, free, s/mime key pair from the "Trusted Authority" Thawte, do I did, and have been using it to sign all my outgoing personal email with it since. There is an tutorial online explaining how to get do this here.

Clients that support S/MIME will show emails from me (at least, my personal correspondence) as "signed". Anyone who has their own S/MIME key-pair can email me encrypted. That elite club currently counts two.

The TA system has one big advantage, and one big weakness, as far as I can see. The advantage is that they sign my certificate as being from them, and having been given to the valid owner of my email address. With a little effort I could go further and have the certificate certified as being for me personally by name. People who get an email from me need do nothing to verify it's validity. Beside the math, or my key-pair being compromised the weak link (for privacy via encryption) is Thawte. Can they really be trusted? How much are peoples key-pairs worth to them? Would they, or could they, fight government pressure to release the keys "in order to find terrorists"?

For clients that don't support S/MIME a signed email appears to have an attachment named smime.p7s. This has caused a little confusion, but not much, as all the big email clients support S/MIME. The problem comes with web-mail users. That said, no webmail interface I know of has any support for secure email of any sort, and my mum uses HoTMaiL.

More recently I received an email with an attachment I'd not seen before: signature.asc. I emailed the sender asking what the file was, and he explained it is an OpenPGP/MIME digital signature. A little while later I had been to the Mac GNU PGP site and downloaded, then installed:

• GNU Privacy Guard,
• GPGKeys, &
• GPGPreferences.

I then went to the GPGMail site, and downloaded and installed the Mail.app plug in, and and checked my friends email. The message was marked as GPG Signed, and there was a button to "Verify". I clicked the button and was told that the signature could not be verified as there were "missing keys". I replied to the sender and explained the problem. Aha, I was told, I must search for and download his public keys from pgp.mit.edu. And so I tried to. The search did not respond. I emailed the admin, who was very helpful, and explained that I may be behind a firewall (I am) and that I could try the email interface. And so I did, and I eventually got back a key-chain attachment which I was able to save and then import into GPGKeys, and then, finally, I was able to verify that yes, the person who sent me the email had also uploaded his public key to the MIT keychain server.

So they way I see it - and I'm no expert - people should be using S/MIME and Trusted Authorities for digital signatures, and PGP/GPG for privacy via encryption. Or have I missed something?

Addendum: My friend, incidentally, claims that his use of GPG has protected him from attempts to sabotage his career by non other than the infamous Ian Gomeche, who apparently tried to send emails with faked headers "from" him to the whole educational facility where this friend of mine works.