Skip to main content

Why use S/MIME?

The value of secure email

Secure email addresses three aspects of security:

Secure emails uses digital signing. A digital signature is created over the contents of the message and sent as an attachment with the email. If the signature is valid, it demonstrates who created the signature and the message has not been changed since the signature was created.

Secure emails can optionally be encrypted. So only the people with the correct key can decrypt it.

Different methods for secure emails

There are proprietary mechanisms for implementing secure email. But they all require both the sender and receiver to use special software or a special service.

With a standards based solution, there are two choices: Secure/Multipurpose Internet Mail Extensions (S/MIME) or Pretty Good Privacy (PGP). Both do the same things, signing and encryption, and both use the same underlying mathematics of public key cryptography. Where they differ is in the formats used and the trust model for certificates.

Certificates in PGP uses its own standard, which does not have a centralised system of trust. Each user is expected to determine if they trust a certificate or not. They do this either by verifying that a certificate belongs to a person by contacting that person directly, or through through a web-of-trust (e.g. if they trust a friend and that friend trusts the certificate).

Certificates in S/MIME follow the Public Key Infrastructure (PKI) standards, where a centralised system where certificates are trusted if they are issued by a trusted authority. These are the same types of certificates used in TLS for securing Web sites. This is easier to use, but it requires you to trust those issuing authorities and also to obtain certificates from them.

S/MIME is easier

These articles uses S/MIME for one simple reason: S/MIME is included in the default email programs that come with macOS, iOS and iPadOS, as well as other operating systems.

To use PGP, third-party programs or extensions have to be installed by both the sender and receiver. And also trust has to be established in the certificates. But PGP is popular with open source and free software developers, usually using the GNU Privacy Guard (GPG) implementation of PGP.

You and the receiver probably already have an email program that understands S/MIME. So all you need is a set of credentials for it.