ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Status of RFC2440

2004-10-20 11:34:08
from [Jon Callas] [Permanent Link] 



I've been asked to speak at an Identity
conference and while I was musing on the
unsuitability of x.509/PKI for identity,
it occurred to me that one of the barriers
is that OpenPGP is not a standard, whereas
x.509 is.



Huh? OpenPGP isn't a standard? How?
In the last couple of years there's been a resurgence of OpenPGP-based systems. I see new ones coming on line (usually in an email that says something like, "Is this a competitor of yours?") about at the rate of one every month or two, but I've gotten two of them this *week*. More than one of these new people have contributed here. If anything, OpenPGP is undergoing a renaissance right now. There are also other bits of ground breaking on further adoption that I can't talk about, but I can tell you that I don't see this pattern stopping.
My products support both OpenPGP and X.509, and my official policy is to be format agnostic. However, I'll say that while X.509 is a "standard" it is a "standard" that you often have to make work by doing passive fingerprinting on the certs. You look at it, infer what software or CA created it, and special case the handling of the crypto system accordingly. I'm not complaining, merely stating. For anyone who goes to the trouble of walking the minefield of X.509 interoperability, this "standard" is a huge barrier to entry to competition. Unlike OpenPGP, where someone can knock off an interoperable system with a little bit of work (hacking, if necessary your own previous systems and others like the Perl module) and end up with something that works, X.509 takes *work* to make interoperate, and this is a huge boon for anyone who actually makes a living at this.
Yes, yes, there are open source toolkits for X.509. I've used them. My conclusion was that those nice folks at GeoTrust provide a good service for the money, especially when I compute my own hourly rate and the fact that I could otherwise be doing something fun.
Be sure to tell them that, when you talk about the superiority of "standards" to mere RFCs. :-) 

        Jon
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Status of RFC2440, Ian Grigg
Next by Date:  Re: Status of RFC2440, Hironobu SUZUKI
Previous by Thread:  Re: Status of RFC2440, Ian Grigg
Next by Thread:  Re: Status of RFC2440, Hironobu SUZUKI
Indexes:  [Date] [Thread] [Top] [All Lists]