W3C home > Mailing lists > Public > www-archive@w3.org > March 2004

Re: X.509 and PGP

From: Chris Bizer <chris@bizer.de>
Date: Thu, 18 Mar 2004 11:50:08 +0100
Message-ID: <003701c40cd6$cacdb4f0$1f12fea9@named4gc1asnuj>
To: "Patrick Stickler" <patrick.stickler@nokia.com>
Cc: "ext Jeremy Carroll" <jjc@hpl.hp.com>, <phayes@ihmc.us>, <www-archive@w3.org>, <jjc@hplb.hpl.hp.com>

>
> OK, so either way, all we need is the swp:authority and swp:signature,
> and then via the URI of the authority we obtain a certificate for the
> authority,



Yes.



where the CA of that certificate is either the authority
> itself (PGP) or is specified in the certificate (X509).
>
> Right?
>

Sorry, no. The idea with PGP's Web-of-Trust approach is that:



1. I get somehow convinced that a public key belongs to you (maybe by
meeting you).

2. Thus I sign your public key with my private key creating a certificate
for your public key.

3. Jeremy might do the same with my public key. Thus we end up with two
certificates that we publish on a PGP key and certificate server (list of
servers found at http://www.pgpi.org/services/keys/keyservers/)

4. If now Pat wants to decide if he trusts a public key which claims to
belong to you, he gets the two certificates from the server. If Pat trusts
Jeremy's public key, he can use the key to verify the certificate from
Jeremy claiming that a public key belongs to me. With his information Pat
can verify my certificate claiming that your key belongs to you.



Thus following the decentralized certification chain Pat ends up with some
trust in your key and might use it to verify a message you have signed. When
these chains are becoming longer, things start to get fuzzy.



But it is mainly the same approach we are proposing for assertion and the
one Tim Berners-Lee proposes for rating information sources on the Semantic
Web.



Chris


.
Received on Thursday, 18 March 2004 06:48:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:32:25 UTC