[Osmium]

Any recommended CAs for S/MIME for personal users? And is it possibly to transparently use both, e.g. sign all outgoing mail with S/MIME by default, but also encrypt with, say, GPG if you happen to have that contact's public key?

[joshuak]

GPGMail is nicely integrated into Mail.app. It plays well with s/mime, so you can have both installed, and use either one that is appropriate.

For easy steps on how to do this see here:

http://arstechnica.com/apple/2011/10/secure-your-e-mail-unde....

You can get a free cert from COMODO:

http://www.comodo.com/home/email-security/free-email-certifi....

[induscreep]

I use StartCom https://cert.startcom.org/

[mseebach]

No. You absolutely must confirm the key of people you correspond with. An internal CA in your organisation could achieve this, but the "trust a random list of CAs" model of security is fragile, and must be considered compromised in the face of an adversary like the NSA (or any government in a country where a CA on your trusted list is located).

[joshuak]

Well either you trust the CA system or you don't. If you do then receiving a s/mime signature, that your OS thinks is valid because of the root certificates that it accepts, then you can trust it "transparently".

If you don't trust the CA system, well then the web is a very scary place for you because it's all built on that and email is probably the least of your concerns.

The CAs are generally not "a random list", but rather a publicly accepted and accredited CA. Just like your https cert.

[andrewflnr]

No. Degrees of trust are allowed, and you can choose to do different things in different contexts (browsing vs email) depending on the likelihood and likely damage of betrayal.

[indeyets]

That's exactly the reason, why "DANE" approach is developed now, to replace CAs use for HTTPS

https://tools.ietf.org/wg/dane/ http://www.internetsociety.org/articles/dane-taking-tls-auth...