[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pgp-keyserver-folk
Subject:    Re: PGP kerserver infrastructure
From:       Michael Helm <helm () fionn ! es ! net>
Date:       2000-06-30 21:47:23
[Download RAW message or body]

"L. Sassaman" writes:
> X.509 is a much older and cruftier standard. PGP is recognised by most to
> be the superior method for handling email and file encryption and signing.
> X.509 is designed to satisfy situations where there is a complex heirarchy
> in an X.500 setting.

I don't know about the first claim; PGP certainly developed partly
in response to PEM, which was based on hierarchies.  Which standard is better
I think is up to customers to decide.

X.509 really has nothing to do with hierarchies.  This is a misunderstanding
probably based on where it came to most people's attention: the PEM
rfc's, especially rfc 1422.  This RFC & the PEM proposal had a hierarchical
data model which never came to pass.  I think that if you ask Stephen
Kent today you'll get a pretty clear explanation of why X509 != hierarchies.
Even X.500 does not require much of a hierarchy; it's the implementation
& data model for the world-wide DIT that required one.

Obviously X.509 certificates are a whole lot happier in rigid hierarchies
than webs of signed PGP keys.

> Note, also, that it is extremely easy to bind an X.509 cetificate to an
> OpenPGP key, for instances where X.509 is necessary. You can also have
> multiple X.509 certificates bound to one OpenPGP key, all sharing the same
> key material. Much more convenient.

I think this glacially slow movement towards interoperatibility is
a real value center.  If we could sign & encrypt information & 
not have to worry whether the recipient believes in one god, three,
or a million, that would be useful.  The moral of this is that a
future keyserver that could interoperate with x509 certificate
infrastructures lurking in the neighborhood could also be a good thing.

[prev in list] [next in list] [prev in thread] [next in thread]