Differences: OpenPGP vs. X.509

Robert J. Hansen rjh at sixdemonbag.org
Sat Jan 24 23:06:45 CET 2009

Stefan X wrote:
> I see you didn't mean that MD5 is REQUIRED but mean that the problem is
> MD5 is ALLOWED. I agree that this is really a problem.

More like, "support for MD5 is required."  Sure, you can create X.509
certs that use SHA-1, but the amount of MD5 certs in the X.509
ecosystem, and the incredible problems involved in moving these certs to
better hashes, mean that I think it's pretty premature to talk about
merging X.509 and OpenPGP.

I'd like to see X.509 get their house in order.  Once that's taken care
of, then we can start discussing bringing the two standards closer together.

More information about the Gnupg-devel mailing list