Re: X.509 and PGP

On Mar 18, 2004, at 12:50, ext Chris Bizer wrote:

>
>>
>> OK, so either way, all we need is the swp:authority and swp:signature,
>> and then via the URI of the authority we obtain a certificate for the
>> authority,
>
>
>
> Yes.
>
>
>
> where the CA of that certificate is either the authority
>> itself (PGP) or is specified in the certificate (X509).
>>
>> Right?
>>
>
> Sorry, no. The idea with PGP's Web-of-Trust approach is that:
>
>
>
> 1. I get somehow convinced that a public key belongs to you (maybe by
> meeting you).
>
> 2. Thus I sign your public key with my private key creating a 
> certificate
> for your public key.
>
> 3. Jeremy might do the same with my public key. Thus we end up with two
> certificates that we publish on a PGP key and certificate server (list 
> of
> servers found at http://www.pgpi.org/services/keys/keyservers/)
>
> 4. If now Pat wants to decide if he trusts a public key which claims to
> belong to you, he gets the two certificates from the server. If Pat 
> trusts
> Jeremy's public key, he can use the key to verify the certificate from
> Jeremy claiming that a public key belongs to me. With his information 
> Pat
> can verify my certificate claiming that your key belongs to you.
>
>
>
> Thus following the decentralized certification chain Pat ends up with 
> some
> trust in your key and might use it to verify a message you have 
> signed. When
> these chains are becoming longer, things start to get fuzzy.
>
>
>
> But it is mainly the same approach we are proposing for assertion and 
> the
> one Tim Berners-Lee proposes for rating information sources on the 
> Semantic
> Web.
>
>
>

OK, so in either case (PGP or X509) you have a CA, and for PGP
different folks vouch for other folks whereas for X509 one entity
vouches for a set of registered users.

Ultimately, one has to decide both whether (a) they trust the CA
and trust the authority.

Yes?

Patrick


--

Patrick Stickler
Nokia, Finland
patrick.stickler@nokia.com

Received on Thursday, 18 March 2004 07:27:49 UTC