5

After some research without any answer to my question, if it's possible and does it make sense to sign an E-mail with PGP and s/mime (?), I'm hoping to get an answer here.

I know that, PGP and S/MIME fulfil the same purpose. They create the signature with the same cryptographic utilities, but manifest a different format. The question about the differences of this two tools were already asked here: How does PGP differ from S/MIME?.

Far more clients are compatible with S/MIME out of the box. Is it possible to provide a PGP and a S/MIME signature per E-Mail, so I can satisfy PGP and S/MIME users?

Community
  • 1
Robin
  • 175
  • 5

2 Answers2

5

You can sign with both PGP and S/MIME. Contrary to Oliver Schmidt's response, it is possible to create an external signature using PGP (you can sign any file with a PGP key, not just text - a executable (.exe) is not a good candidate for inline signatures). This is referred to as "PGP/MIME".

An external signature on a PGP file will be *.sig and S/MIME will typically be in the format of *.p7s for the PKCS#7 format. If you are using external signature it should not matter the order since you are not using both (as long as mail clients support it). Encapsulating them as suggested in another answer should technically work since the PGP user can ignore the S/MIME attachment.

The big issue on what to use will depend upon what your recipient is expecting and what their email client is capable of doing with (or what external tools they have). Some older clients may not support external PGP signature.

Community
  • 1
Eric G
  • 9,691
  • 4
  • 31
  • 58
3

To make a long story short: Yes, that will work and it will make sense, too.

I'll try to explain this:

PGP stores the signature inside the email body.

The body of a PGP-signed mail usually begins with -----BEGIN PGP SIGNED MESSAGE-----, followed by the hash algorithm and the message clear text, followed by -----BEGIN PGP SIGNATURE-----, followed by the ASCII-armored signature, followed by -----END PGP SIGNATURE-----.

S/MIME instead, defines the Content-Type: multipart/signed header in your email and stores the signature in an (PKCS#7) attachment. The header tells S/MIME compatible clients how to verify the signature (the parameters boundary, protocol and micalg are relevant here). If the slient sees itself capable of verifying the signature, it will do this by reading and comparing the attachment.

Thus, PGP as well as S/MIME will leave the message text untouched. If you sign with PGP first, all the PGP stuff (e.g. -----BEGIN PGP SIGNATURE-----) will be part of the S/MIME signature. If you sign with S/MIME first, both signatures will be independent. However, either order will work!

rowing-ghoul
  • 147
  • 2
  • PGP signed email can be used with either inline signatures (which is what you describe) or with detached signatures. PGP/MIME is a better comparison to S/MIME than is inline PGP signatures. – user Apr 14 '15 at 16:21