I started using Enigmail (currently V2.1.9) with TB (currently V68.10.0)
on Linux Mint with gpg (GnuPG) 2.2.19.
When I try to send an email, I (nearly most of the time) I get the error
message popup that sending failed, because I choose to sign the email
and the certificate was "not found or outdated".
However, when I close the popup and hit send again, the email is sent
without error message.
In fact, I'm not sure if the email is signed in this case. (Looking at
my sent folder, it seems it is not.)
BTW: When TB tries to save the email, I get the same error message.
Now, I found, that when I change the setting "prefer S/MIME" to "prefer
Enigmail (OpenPGP)" "when both are possible" I can send emails without
error message and they appear signed in my sent box.
When I check my email account settings in TB, I see my gpg certificates
at the tab "OpenPGP > select key". But at the tab "S/MIME" I don't see
certificates.
I must admin, I thought that the same certificate can be used for both
cases.
In any case, I would expect that - if S/MIME is NOT possible, e.g.
because no matching certificate is found, that in this case OpenPGP is used.
Or what should be the expected behaviour of this option? "when both are
possible" somehow seems to imply that sending is possible, but obviously
it is not in my case.
Generally, I noticed that I would like to understand what the difference
is between S/MIME and PGP/MIME / Inline-PGP.
I browsed the Enigmail handbook at https://www.enigmail.net/index.php/en/user-manual but didn't find a
section addressing this.
What are the practical implications of these options? What should I
consider when to use what?
OpenPGP and S/MIME are two different standards for encrypting and signing mails. Both use the concept of key pairs (i.e. a private and a public key), and both use a similar set of encryption algorithms.
S/MIME uses X.509 certificates which are signed by a Certificate Authority (CA), with all implications of a CA: for example the CA will verify the ownership of the key (e.g. the email address) and it can revoke the certificate. That is, X.509 certificates have a single central control instance.
OpenPGP uses self-signed keys, with the option for others to also sign a key. The keys is a lot more in control of the owner, he can revoke the key, change expiry, add user IDs and so on. That is, OpenPGP is a fully decentralized system for issuing and verifying keys.
As a consequence, OpenPGP keys and S/MIME certificates are two different pairs of shoes - you can't use OpenPGP keys for S/MIME and vice versa.
Hi there!
I started using Enigmail (currently V2.1.9) with TB (currently V68.10.0)
on Linux Mint with gpg (GnuPG) 2.2.19.
When I try to send an email, I (nearly most of the time) I get the error
message popup that sending failed, because I choose to sign the email
and the certificate was "not found or outdated".
However, when I close the popup and hit send again, the email is sent
without error message.
In fact, I'm not sure if the email is signed in this case. (Looking at
my sent folder, it seems it is not.)
BTW: When TB tries to save the email, I get the same error message.
Now, I found, that when I change the setting "prefer S/MIME" to "prefer
Enigmail (OpenPGP)" "when both are possible" I can send emails without
error message and they appear signed in my sent box.
When I check my email account settings in TB, I see my gpg certificates
at the tab "OpenPGP > select key". But at the tab "S/MIME" I don't see
certificates.
I must admin, I thought that the same certificate can be used for both
cases.
In any case, I would expect that - if S/MIME is NOT possible, e.g.
because no matching certificate is found, that in this case OpenPGP is used.
Or what should be the expected behaviour of this option? "when both are
possible" somehow seems to imply that sending is possible, but obviously
it is not in my case.
Generally, I noticed that I would like to understand what the difference
is between S/MIME and PGP/MIME / Inline-PGP.
I browsed the Enigmail handbook at
https://www.enigmail.net/index.php/en/user-manual but didn't find a
section addressing this.
What are the practical implications of these options? What should I
consider when to use what?
Thanks,
Peter
OpenPGP and S/MIME are two different standards for encrypting and signing mails. Both use the concept of key pairs (i.e. a private and a public key), and both use a similar set of encryption algorithms.
S/MIME uses X.509 certificates which are signed by a Certificate Authority (CA), with all implications of a CA: for example the CA will verify the ownership of the key (e.g. the email address) and it can revoke the certificate. That is, X.509 certificates have a single central control instance.
OpenPGP uses self-signed keys, with the option for others to also sign a key. The keys is a lot more in control of the owner, he can revoke the key, change expiry, add user IDs and so on. That is, OpenPGP is a fully decentralized system for issuing and verifying keys.
As a consequence, OpenPGP keys and S/MIME certificates are two different pairs of shoes - you can't use OpenPGP keys for S/MIME and vice versa.
Concerning the difference between PGP/MIME and Inline-PGP, read here: https://www.enigmail.net/index.php/en/user-manual/handbook-faq#What.27s_the_difference_between_Inline_PGP_and_PGP.2FMIME.3F