[Top] [All Lists]

Re: OpenPGP vs. X.509/PKCS

2002-02-21 15:46:01

At the time PGP was created, there were a LOT of things that PGP
could offer than X.509 could not.  To name a few:

 - PGP certificates are MUCH smaller than X.509 in terms of the number
   of bytes required to represent the same semantic content.

 - at the time X.509 certificates could only carry a single signature,
   forcing users into a strict hierarchical model, whereas PGP allows
   the opportunity for a more web-like model that better mirrors
   real-world relationships.

 - PGP certificates are self-generated, and require no interaction
   with anybody in order to start using the system, wheras with X.509
   you need to get your key signed by an authority before you can use
   it at all.

Note that the question you are asking does not necessarily follow from
the question that I answered.  The question was about why PKCS was
created.  PKCS came from RSADSI, which was the company that owned the
RSA patent.  They created the PKCS standards.

As for why X.509 took off?  It took off because there was money to be
made when you force users to use your services (read: you're a CA),
and because you have a business whereas PGP does not.  (Note that all
this happened in the early 90s, well before PGP, Inc. existed).


"Leon Kuunders" <leon(_at_)netsecure(_dot_)nl> writes:

So the question is: how could we turn OpenPGP into a more-money-making
infrastructure? And that comes down to: what kind of need would there be for
OpenPGP? If there is already X509? What can OpenPGP do what the other one
can't? And what kind of business model would go with that?

Is it feasible to think that as long as the 'mainstream' is not convinced of
the fact that OpenPGP can bring them _more_ money than X509 - that this
battle is moving towards a definite end?


From: Derek Atkins

Because "they" weren't making any money off of PGP. :)


john(_dot_)dlugosz(_at_)kodak(_dot_)com writes:

From: John Dlugosz

If PGP was indeed established as the first useful PK system,
why did "they"
come up with PKCS standards that are totally different?  Why
did PKCS-style
files and formats propigate through Internet standards, when all along
everyone was using PGP, and had access to that code?

       Derek Atkins
       Computer and Internet Security Consultant

       Derek Atkins
       Computer and Internet Security Consultant

<Prev in Thread] Current Thread [Next in Thread>