I got a interesting question query today about GPG, and I wanted to mention some of the design trade offs that are in ZES versus FireGPG. Both will work with Zimbra. (or at least ZES will when I release it ;-)
I actually started work looking at the FireGPG and GPG approach. I ended up ditching it (after writing most of it) for a few different reasons:
- FireGPG actually requires PGP installed on the Windows/Linux client to work.I was hoping it was Javascript native, but no such luck. That being said, I am really skeptical of any approach that involves exposing the keys to the Browser. Fundamentally Browsers were meant to integrate information. Encryption is designed to hide it. Bad mix ;-)
- FireGPG only supports OpenPGP. S/MIME is actually a more wide spread platform (Thunderbird and Outlook support it even though GPG has more users.
- FireGPG doesn't encourage good key practices. And if your laptop goes, so goes your keys, unless you expose them over the network to copy them to a different machine, or leave them laying around.
- The average PC can be hacked much more easily then a server. I'm decently sure it would be possible to hack a firefox extension that could snoop for your keys. Even worse, if the programmer didn't really know what he/she was doing (and I am not omniscient by any stretch of the imagination) it might even be possible to remotely expose keys over the Internet. That's a real scary situation.
- You can't do real key management with this tool. If a employee leaves, and leaves large amount of encrypted data, a company should have a way ideally to recover the key. (That's a controversial statement, but more and more companies require/depend on encryption to do business). I am interested in how the community feels about this one.
- At best it would only work with Firefox.
- With a client side only implementation, you loose all of the Zimbra goodness like searching etc. I am a bit conflicted on this one, since Zimbra doesn't like the idea of mutable email messages once the message has been written to the store / sent via smtp. That means to be searchable, you have to grab it when it first comes in, and do the encryption/decryption there. Right now I have cacheable passphrases that let me do that, but a "decrypt always" policy will need to be enabled to make that preferment. Not to mention the headache of managing keys. I am sure there is a better way to do this.
My original server side version used the PGP binaries, but it was rather brittle as well. Screen Scraping isn't a lot of fun ;-)
All that being said, FirePGP is actually a pretty cool tool and it's one of the programs I am using for compatibility testing. I am using Thunderbird and Outlook as well to test S/MIME support.
For you S/MIME experts out there. I understand that the Certs have to be provided on a user by user basis from a cert authority. What is the possibility of a domain running their own cert authority? Is there something like a SSL certificate that bridges between the CA and the end user so you don't have to go to the CA every time?