Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:
OpenPGP can support hierarchical certificate deployments just fine (my
company is building one) as well as the Web of Trust model. X.509
cannot support a Web of Trust deployment, period.
So there is a clear winner here.
You can in fact make X.509 do Web of trust. You simply give each user their
own CA root and cross certify.
I guess X.509v3 does, theoretically, allow multiple signatures on a
certificate, but I was under the impression that zero implementations
actually supported that?
I was doing that for quite a while till I realized that the legacy stuff was
hurting rather than helping. Yes you can get the protocols to do more than the
apps let them. But you don't have the advantage of legacy platform support or
legacy platform ignoring your stuff in a predictable way.
The nice thing here is that legacy OpenPGP apps DO support hierarchical
deployments without any changes. The only thing you need to do for
OpenPGP is that you need to tell the program to trust the CA. This
does have the benefit (or I suppose if you come from an X.509 world it's
a drawback) that each user needs to declare which CAs are trusted.
I am curious in what way you found the legacy OpenPGP deployments didn't
support hierarchical trust? Or are you saying that legacy X.509 didn't
support a Web of Trust model (which, honestly, doesn't surprise me).
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp