[woodruffw]

Well, I don't know if I would call PGP so much more insane than CMS or PKCS#7 :-). Definitely worse, but CMS is not high up on the list of honorable cryptographic envelope designs.

On the format level, CMS has some of the same flaws as PGP: dynamic TLV encodings (BER), extension points everywhere, and a disconnect between format and cryptographic versioning. On the cryptographic level, S/MIME benefits somewhat from certificates on the Internet PKI being less of a wild west than PGP certificates, and from having a community group (the S/MIME Cert WG of the CA/B Forum) invested in strengthening S/MIME's certificate profile beyond the baseline stipulated in RFC 5280. Of course, for non-public S/MIME deployments, none of that applies.

All that said, I don't think I would treat S/MIME (or CMS, or PKCS#7) as a guiding star: EFAIL affected S/MIME too[1]. But they have the "advantage" of being bad at just their niche (signing and encryption of email), versus being bad at every niche. The latter is PGP's historic curse.

[1]: https://efail.de/

[jcranmer]

The way I've previously internalized it is CMS is bad principally because it's generic container of general generalizablity (on multiple levels, even) and the fundamentally wrong notion that signature and encryption are fully orthogonal. But generic generalizability can be ameliorated with a concerted, coordinated effort. As for S/MIME (specifically, working out how to embed CMS in MIME)... well, email and MIME make a good solution impossible from the outset, and S/MIME is probably the least bad you can do.

Encrypted email can never have a good solution simply because email is the poster child for "Why Postel's Law is a bad idea"

[woodruffw]

Completely agreed!