I looked into S/MIME when researching email crypto options. Someone please correct me if I'm wrong, but with S/MIME, you have to get a cert issued from a "trusted" provider--i.e. your employer, or Verisign, or Comodo, etc. If you don't, then a lot of apps either issue scary warnings or even just refuse to work with your self-signed cert. But if someone like Verisign or Comodo issues your cert, how can you be sure the cert they issued you hasn't been stored and shared with (for example) the NSA?
S/MIME seems to have the same problem as SSL, which is that to be really usable you have to trust a big company to provide you with encryption, and that company can be hacked, coerced, etc. But whereas SSL traffic is typically transitory in nature which makes it tougher to meaningfully capture and store, your emails are not transitory and can be accessed much more easily.
You don’t go and buy an SSL certificate from a CA. You pay for them to /sign/ your public key, presumably after verifying your identity. You generate the public/private key pair, and then you keep the private key private.
The CA could in theory sign Eve's private key along with metadata saying that private key belongs to you, but that just gives someone the ability to impersonate you. It doesn’t give Eve the ability to read emails that Bob sent to you with a key wrapped with your public key.
That's the one I used, and if I recall correctly they sent me an email with a link for me to download the cert. This suggests to me that it was generated server-side and that therefore they could have kept a copy for themselves. But I might be totally wrong on how it works.
S/MIME seems to have the same problem as SSL, which is that to be really usable you have to trust a big company to provide you with encryption, and that company can be hacked, coerced, etc. But whereas SSL traffic is typically transitory in nature which makes it tougher to meaningfully capture and store, your emails are not transitory and can be accessed much more easily.