* A. Padgett Peterson P.E. Information Security wrote:
compliant. Will say that the crypto (other than being intercommunicating)
is really the least part - it is the directory and key management structure
that will make or break. At the moment it is the only one I have seen that
is independant of a mail structure and provides for diversified management.
(opposing views welcome).
At 07:49 AM 3/11/98 GMT, Lutz Donnerhacke wrote:
X.509 (aka S/MIME) is a strong hierachical PKI. PGP has a complete
distributed PKI.
X.509 is NOT a hierarchical PKI.
It's a syntax for one key certifying another key.
It doesn't provide the infrastructure or restrict the relationships.
You can build hierarchies with it, or with PGP, and you can
build non-hierarchical webs of trust with it or with PGP.
Unlike PGP, which has a complex key structure that
encourages each key to have multiple signatures,
an X.509 cert only has one signature on it,
so multiple signatures require multiple X.509 records.
That's more work for a directory structure to manage;
it's just a tuple, and fits fine in a relational database structure.
You just have to make sure the directory APIs can handle
multiple records in response to a query.
(Does anybody know how LDAP feels about this?)
IMHO, any directory system that can't handle collisions is
nearly unusable anyway, because it requires complex validation
of every record stored in it to avoid them,
and even then you still have companies with multiple
employees named Joe Johnson that you need to differentiate between.
Some of X.509's early advocates, like Steve Kent,
strongly believe in and push the hierarchical model with certs
indicating True Names, but the standard itself doesn't require it,
and later X.509 versions don't force you to use X.500 names.
It may be that one of the most important things we can do
is create a good web-of-trust management tool that's
easily readable by S/MIME programs, so the S/MIME users get
off on the right foot and don't build hierarchies into the system.
Thanks!
Bill
Bill Stewart, bill(_dot_)stewart(_at_)pobox(_dot_)com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639